WordPress Plugin Vulnerabilities

Watu Quiz < 3.4.1.1 - Sensitive Information Disclosure

Description

The Watu Quiz plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.1 via the watu-userinfo shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive user meta data which can include session tokens and user emails.

Affects Plugins

Plugin icon
watu
Fixed in 3.4.1.1

References

CVE
CVE-2024-0872
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/acc261eb-fafa-4e9d-b7ab-a449f14a7638

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
71fd1dfe-ca6c-4045-93c0-39934d80dd57

Timeline

Publicly Published
2024-04-04 (about 2 years ago)
Added
2024-04-04 (about 2 years ago)
Last Updated
2024-04-04 (about 2 years ago)

Other

Published
Title
Published
2025-07-25
Title
WoodMart < 8.2.7 - Unauthenticated Cart Manipulation
Published
2025-07-30
Title
Motors < 1.4.81 - Unauthenticated Insecure Direct Object Reference
Published
2026-01-02
Title
Tutor LMS < 3.9.5 - Authenticated (Instructor+) Insecure Direct Object Reference
Published
2024-06-06
Title
Tutor LMS – eLearning and online course solution < 2.7.2 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion
Published
2025-10-17
Title
WPC Smart Quick View for WooCommerce < 4.2.6 - Insecure Direct Object Reference to Unauthenticated Private Product Exposure