Watu Quiz < 3.4.1.2 – Author+ Stored XSS | CVE 2024-2640 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow users such as authors (if they've been authorized by admins) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

1. Allow Authors to access the plugin's settings.
2. Using an Author account, edit the demo Quiz questions.
3. Use the following within the question and answers: Answer One `<img src=1 onerror=alert(document.cookie)>`
4. Browse the Quiz on the front-end and notice the alert triggers.

Affects Plugins

Fixed in 3.4.1.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Eunho Kim

Submitter

Eunho Kim

Submitter website

https://aiton.tistory.com/

Verified

Yes

WPVDB ID

d46db635-9d84-4268-a789-406a0db4cccf

Timeline

Publicly Published

2024-06-21 (about 1 year ago)

Added

2024-06-21 (about 1 year ago)

Last Updated

2024-06-21 (about 1 year ago)

Other

Published

Title

Published

2023-01-19

Title

WP eBay Product Feeds < 3.4 - Admin+ Stored XSS

Published

2019-11-08

Title

Safe SVG < 1.9.6 - XSS Protection Bypass

Published

2023-03-27

Title

Easy Forms for MailChimp < 6.8.7 - Contributor+ Stored XSS

Published

2026-01-22

Title

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin < 7.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2017-03-01

Title

Gwolle Guestbook <= 2.1.0 - Unauthenticated Stored Cross-Site Scripting (XSS)