WordPress Plugin Vulnerabilities

Quiz Maker < 6.2.0.9 - Multiple Authenticated Blind SQL Injections

Description

The plugin did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard

When we (WPScanTeam) confirmed the issues, more SQL Injections were identified, reported and fixed by the vendor but have not been detailed here.

Proof of Concept

Affects Plugins

Plugin icon
quiz-maker
Fixed in 6.2.0.9

References

CVE
CVE-2021-24456

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.6 (high)

Miscellaneous

Original Researcher
To Quang Duong
Submitter
duongtq
Verified
Yes
WPVDB ID
929ad37d-9cdb-4117-8cd3-cf7130a7c9d4

Timeline

Publicly Published
2021-06-29 (about 4 years ago)
Added
2021-06-29 (about 4 years ago)
Last Updated
2022-01-17 (about 3 years ago)

Other

Published
Title
Published
2025-05-16
Title
UberSlider <= 2.3 - Authenticated (Contributor+) SQL Injection
Published
2022-01-07
Title
Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection
Published
2024-04-18
Title
Forminator < 1.29.3 - Admin+ SQL Injection
Published
2014-08-01
Title
Mz-jajak <= 2.1 - index.php id Parameter SQL Injection
Published
2025-01-18
Title
LTL Freight Quotes – Worldwide Express Edition < 5.0.21 - Unauthenticated SQL Injection