WordPress Plugin Vulnerabilities

Quiz Maker Business, Developer, and Agency - Reflected DOM XSS via content

Description

The plugins are vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
quiz-maker
Fixed in 8.8.0.100
Plugin icon
quiz-maker
Fixed in 31.8.0.100
Plugin icon
quiz-maker
Fixed in 21.8.0.100

References

CVE
CVE-2024-10636
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6e845eae-dae9-40bb-aca9-21afaa40576d

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
abrahack
Verified
No
WPVDB ID
4116c779-0c65-403b-8b37-e63f730e9d50

Timeline

Publicly Published
2025-01-25 (about 1 year ago)
Added
2025-01-25 (about 1 year ago)
Last Updated
2025-02-03 (about 1 year ago)

Other

Published
Title
Published
2023-02-16
Title
Portfolio - WordPress Portfolio < 2.8.11 - Contributor+ Stored XSS
Published
2025-10-19
Title
ListingPro <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-05-11
Title
Pricing Tables for WP <= 1.1.0 - Reflected Cross-Site Scripting via 'page' Parameter
Published
2024-03-29
Title
Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget
Published
2023-07-12
Title
Art Direction <= 0.2.4 - Contributor+ Stored XSS