Quiz and Survey Master < 9.0.5 – Contributor+ Stored XSS | CVE 2024-6025 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its Quiz settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks

Proof of Concept

1.) Create a new quiz.
2.) Setup a Contact Form and click on Label "Email" settings.
3.) Paste the following payload in the "Allow Domains" textbox.

123" something=' onmouseover=alert(/XSS/)//

The XSS will be triggered when viewing a Quiz

Affects Plugins

quiz-master-next

Fixed in 9.0.5

References

CVE

URL

https://research.cleantalk.org/cve-2024-6025/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

15abc7dd-95b1-4dad-ba25-eb65105d3925

Timeline

Publicly Published

2024-06-20 (about 1 year ago)

Added

2024-06-20 (about 1 year ago)

Last Updated

2024-06-20 (about 1 year ago)

Other

Published

Title

Published

2025-03-27

Title

LeadConnector < 3.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-11-03

Title

Clubmember <= 0.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2025-09-22

Title

Colibri Page Builder < 1.0.334 - Authenticated (Shop manager+) Stored Cross-Site Scripting

Published

2025-06-05

Title

Domain For Sale < 3.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter

Published

2025-02-20

Title

Mini Course Generator | Embed mini-courses and interactive content < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting