WordPress Plugin Vulnerabilities

Quiz And Survey Master < 7.1.14 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise or escape the 's' and paged GET parameter before outputting them in attributes, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
quiz-master-next
Fixed in 7.1.14

References

CVE
CVE-2021-20792
URL
https://jvn.jp/en/jp/JVN65388002/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Gen Sato of Mitsui Bussan Secure Directions, Inc
Verified
Yes
WPVDB ID
4deb3464-00ed-483b-8d91-f9dffe2d57cf

Timeline

Publicly Published
2021-08-10 (about 4 years ago)
Added
2021-08-10 (about 4 years ago)
Last Updated
2023-01-26 (about 3 years ago)

Other

Published
Title
Published
2025-01-18
Title
Weaver Themes Shortcode Compatibility <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
PDF And Print Button Joliprint <= 1.3.0 - Cross Site Scripting
Published
2022-08-01
Title
Download Manager < 3.2.49 - Contributor+ Stored Cross-Site Scripting
Published
2024-12-06
Title
워드프레스 결제 심플페이 – 우커머스 결제 플러그인 < 5.2.3 - Reflected Cross-Site Scripting via add_query_arg Function
Published
2024-02-20
Title
Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting