Quiz and Survey Master (QSM) < 9.1.0 – Contributor+ Stored XSS | CVE 2024-6390 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape some of its Quizz settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

Create/Edit a Quizz, put the payload below in the Text > Labels > Retake Quiz Button settings: 123" onmouseover=alert(1)//

The XSS will be triggered when moving the move over the Retake button after submitting a Quizz (as any user) on page/post where the Quizz is embed or while previewing it

Affects Plugins

quiz-master-next

Fixed in 9.1.0

References

CVE

URL

https://research.cleantalk.org/cve-2024-6390/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

00586687-33c7-4d84-b606-0478b1063d24

Timeline

Publicly Published

2024-07-13 (about 1 year ago)

Added

2024-07-13 (about 1 year ago)

Last Updated

2024-07-13 (about 1 year ago)

Other

Published

Title

Published

2019-09-04

Title

Spryng Payments for WooCommerce <= 1.6.7 - Unauthenticated Reflected XSS

Published

2025-01-08

Title

WhatsApp click to chat <= 3.0.4 - Reflected Cross-Site Scripting

Published

2024-09-09

Title

Forminator Forms – Contact Form, Payment Form & Custom Form Builder < 1.34.1 - Reflected Cross-Site Scripting

Published

2025-07-18

Title

JetSearch < 3.5.10.1 - Reflected Cross-Site Scripting

Published

2024-06-11

Title

BuddyPress < 12.5.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting