WordPress Plugin Vulnerabilities

Chained Quiz < 1.3.2.3 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape its facebook_appid and api_key settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
chained-quiz
Fixed in 1.3.2.3

References

CVE
CVE-2022-4216
CVE
CVE-2022-4217

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Muhammad Zeeshan (Xib3rR4dAr)
Verified
No
WPVDB ID
0ed06a0e-1035-4e97-9853-1514a3951509

Timeline

Publicly Published
2022-12-02 (about 3 years ago)
Added
2022-12-03 (about 3 years ago)
Last Updated
2022-12-03 (about 3 years ago)

Other

Published
Title
Published
2026-03-20
Title
Comment SPAM Wiper <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting
Published
2022-01-03
Title
Visual CSS Style Editor < 7.5.4 - Reflected Cross-Site Scripting
Published
2026-01-27
Title
Widget Logic Visual <= 1.52 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
SyntaxHighlighter Evolved <= 3.1.9 - Unspecified Cross-Site Scripting (XSS)
Published
2025-07-24
Title
ElementsKit Elementor Addons and Templates < 3.5.3 - Contributor+ Stored XSS