HD Quiz < 1.8.12 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings | CVE 2024-22161 | Plugin Vulnerabilities

Description

The HD Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 1.8.12

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d3abf6bd-bece-470e-93c7-ab9968171a3f

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Myungju Kim

Verified

No

WPVDB ID

10d9b007-5865-43d8-a1bf-31912d541b17

Timeline

Publicly Published

2024-01-16 (about 2 years ago)

Added

2024-01-19 (about 2 years ago)

Last Updated

2024-01-19 (about 2 years ago)

Other

Published

Title

Published

2023-01-06

Title

Blog Designer – Post and Widget < 2.4.1 - Contributor+ Stored XSS via Shortcode

Published

2012-05-15

Title

WP Statistics <= 2.2.4 - Cross-Site Scripting (XSS)

Published

2014-08-01

Title

Car Demon 1.0.1 - /wp-admin/post.php Multiple Parameter XSS

Published

2011-09-22

Title

WP Recentcomments < 2.0.7 - XSS

Published

2024-02-14

Title

Action Network < 1.4.3 - Reflected Cross-Site Scripting via 'search'