WordPress Plugin Vulnerabilities

Quiz and Survey Master < 9.0.5 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape some of its Quiz settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks

Proof of Concept

The PoC will be displayed on July 04, 2024, to give users the time to update.

Affects Plugins

Plugin icon
quiz-master-next
Fixed in 9.0.5

References

CVE
CVE-2024-6025
URL
https://research.cleantalk.org/cve-2024-6025/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/
Verified
Yes
WPVDB ID
15abc7dd-95b1-4dad-ba25-eb65105d3925

Timeline

Publicly Published
2024-06-20 (about 12 days ago)
Added
2024-06-20 (about 11 days ago)
Last Updated
2024-06-20 (about 11 days ago)

Other

Published
Title
Published
2015-11-24
Title
Websimon Tables <= 1.3.4 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2023-01-25
Title
Post Views Count <= 3.0.2 - Contributor+ Stored XSS in Shortcode
Published
2022-12-23
Title
MonsterInsights < 8.9.1 - Stored Cross-Site Scripting via Google Analytics
Published
2024-07-01
Title
Post Meta Data Manager < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-05-03
Title
Testimonial Slider < 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting