Security Flaw, Spam

Hello @accucomm,

Thank you so much for reaching out and explaining the issue you’re experiencing.

I sincerely apologize for any inconvenience this may have caused you. We completely understand your concern about receiving spam messages. Could you please provide a list of the spam entries along with the quiz time taken? You can find this information by navigating to the QSM sidebar and selecting Results. There, you will see details such as time taken and name. Kindly share this information with us through screenshots, as it will greatly assist us in understanding your situation better.

Additionally, to help safeguard your site against spam, please consider the following recommendations:

Use a CAPTCHA plugin: Install and activate a CAPTCHA plugin on your WordPress site, such as Google reCAPTCHA or hCaptcha. This technology helps differentiate between human users and automated bots.

Install an anti-spam plugin: Consider using an anti-spam plugin like Akismet. Akismet is a robust tool designed to filter out spam comments and trackbacks.

Please rest assured that we are here to support you every step of the way, and we are fully committed to resolving this matter promptly for you.

We look forward to your response.

Warm regards,
Sadiya

Hi Sadiya:

I made an image capture of the information that you requested, but this form doesn’t provide for file uploads. So I placed it here: https://www.puertoricobygps.com/qsm-issue/results-screen-capture.jpg

You should also know that I’ve been using Akismet for years as well as the “WP Image CAPTCHA” plugin. I’ll look into those other captcha plugins that you suggested.

Let me know what you find,

Orlando

By the way, I installed hCapcha on my site bur QSM doesn’t appear as one of the supported plugins. Instead QSM wants me to install the reCapcha plugin which sells for over $100. I’d rather just remove QSM altogether and be done with the problem.

Hello @accucomm,

Thank you for providing further details regarding your issue. I wanted to let you know that we are actively looking into it. Our team is fully dedicated to finding a resolution and will provide you with an update as soon as possible.

We understand how important this matter is to you and deeply appreciate your patience and understanding during this time. Please rest assured that we are doing everything we can to address your concerns promptly and thoroughly.

Kind regards,
Sadiya

Hello @accucomm,

Thank you for your patience while we reviewed your issue.

Our team has carefully examined the problem you reported. We recommend using the Captcha question type and enabling the “required question” setting, as shown in the attached screenshot.

This setup will display the CAPTCHA input field in the quiz, ensuring it validates before the quiz is submitted. To accomplish this, follow these steps:

• Navigate to QSM > Quizzes and Surveys.
• Go to the Questions tab.
• Click on the question type.
• Save the questions.

We hope this helps, and we’re here if you have any further questions.

Kind regards,
Sadiya

I’m afraid your solution just won’t cut it. First of all, all my questions are “required questions” and whoever is hitting my form is simply answering them all wrong. That’s why his score is zero. Adding a CAPTCHA question will only create one more opportunity for him to get it wrong.

Furthermore, I can’t understand what this fellow gains by flooding my database with empty quizzes and fake email addresses. What I do know is that I still have the plugin deactivated and it will probably have to stay that way.

The real solution would be to add a captcha field in the registration form at the beginning of the process. A honeypot field would also probably do the trick. But, of course, you guys want to cash in on the deficiency and you elect to put out crippleware instead.

I guess I’ll end up removing QSM altogether.

Thank you.

• This reply was modified 5 months, 1 week ago by accucomm.

Hi @accucomm ,

Thank you for sharing your detailed feedback and for your patience while we reviewed your issue.

We understand your concerns and at first, I want to assure you that we take security and user experience very seriously at QSM. We sincerely apologize for any negative experience you’ve had with our plugin.

Regarding the spam entries, we’ve thoroughly reviewed the screenshots you provided. It appears that the attackers might be bypassing browser-level validations. To address this, we can help you implement a custom code solution that adds an extra layer of validation to your quizzes. This should help reduce spam entries significantly. Here’s the code snippet you can use:

function qsm_validation_submit_results_before( $qmn_quiz_options, $qmn_array_for_variables ) {
    global $mlwQuizMasterNext;
    $mlw_qmn_timer = isset( $_POST['timer'] ) ? intval( $_POST['timer'] ) : 0;
    if ( 0 === $mlw_qmn_timer ) {
        echo wp_json_encode(
            array(
                'display'       => __( 'Invalid Request!', 'qsm-recaptcha' ),
                'redirect'      => false,
                'result_status' => array(
                    'save_response' => false,
                ),
            )
        );
        exit();
    }
}
add_action( 'qsm_submit_results_before','qsm_validation_submit_results_before', 2, 10 );

This code will help ensure that only valid submissions are accepted, adding an additional check that should help mitigate spam attacks.

We’re continuously working to improve our plugin’s flexibility. We respect your choice and are here to help you with any other solutions that might fit your needs.

To further clarify the usefulness of the Captcha question in QSM, we have created a short screen recording demonstrating how it works effectively to block basic spam entries. This can be a quick and easy solution for many users facing similar issues.

You can view the screen recording here, without correct answer to Captcha question, QSM doesn’t records any result:

We encourage you to try these solutions and let us know if you encounter any issues or need further assistance. Our goal is to ensure that QSM remains a valuable tool for your site without compromising security or user experience.

Thank you for your understanding and continued support. We are always here to help and are committed to providing you with the best possible service.

Best regards,
Avi

Good morning Avi:

?Where esactly am I supposed to place the suggested code snippet?

Orlando

Hi @accucomm

You can add the above mentioned code in the functions.php file of your theme.

Here’s how:

1. Navigate to Tools from your wordpress website’s sidebar menu
2. Select, Theme File Editor
3. A new page will load, here make sure your current theme is selected at the top right corner dropdown.
4. Under Theme Files section, select functions.php
5. Now the functions of your themes will be listed in “Selected file content” section at the left
6. You can add the provided code at the end of your file.

Once done, just click on “Update file” button

I hope this help, feel free to contact us if you face any trouble, I’d do my best to resolve it for you.

Regards,
Avi

Hi Avi:

I’m using a child theme, so I put the code snippet in the funtions.php file of the child theme. Right?

Orlando

Hello @accucomm

Yes, you can add the code in the functions.php file of the child theme of your website.

Hello @accucomm,

We hope you are doing well!

Since we haven’t received any response from your end, I’ll be marking this ticket as resolved. However, please don’t hesitate to reach out to us if you have any further queries or require additional assistance.

Thank you!