Qwiz Online Quizzes And Flashcards <= 3.36 – Unauthenticated Reflected Cross Site Scripting

Description

The qname, i_qwiz, session_id and username parameters passed to the registration_complete.php file are affected by XSS issues.

Plugin has been closed while the issue is being fixed.

Proof of Concept

/wp-content/plugins/qwiz-online-quizzes-and-flashcards/registration_complete.php?&qname=</script><script>alert("XSS")</script>

Affects Plugins

qwiz-online-quizzes-and-flashcards

Fixed in 3.37

References

URL

https://packetstormsecurity.com/files/#154403/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Ricardo Sanchez

Verified

WPVDB ID

d3c10f69-87b6-43fd-bcbc-c2d35b683ff4

Timeline

Publicly Published

2019-09-07 (about 6 years ago)

Added

2019-09-10 (about 6 years ago)

Last Updated

2019-11-28 (about 6 years ago)

Other

Published

Title

Published

2023-10-02

Title

FooGallery < 2.3.2 - Reflected XSS

Published

2022-09-07

Title

Goolytics - Simple Google Analytics < 1.1.2 - Admin+ Stored Cross-Site Scripting

Published

2024-05-22

Title

Advanced iFrame < 2024.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-07-28

Title

Fan Page <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

Published

2023-04-13

Title

Simple Popup Images <= 1.8.6 - Admin+ Stored XSS