CVE-2024-10636 MEDIUM

CVE-2024-10636: Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Reflected DOM-Based Cross-Site Scripting via content

Vendor Ays Pro Plugins

Product Quiz Maker Developer

Weakness CWE-79 · XSS

Published January 26, 2025

Last update January 27, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

January 26, 2025 CVE published

January 27, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-10636 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2024-10636

CWE CWE-79

CVSS 6.1 / MEDIUM

Affected versions

Vendor Ays Pro Plugins

Product Quiz Maker Developer

Affected ≤ 21.8.0

Vendor Ays Pro Plugins

Product Quiz Maker Agency

Affected ≤ 31.8.0

Vendor Ays Pro Plugins

Product Quiz Maker Business

Affected ≤ 8.8.0

CVE-2024-10636: Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Reflected DOM-Based Cross-Site Scripting via content

01Description

02Disclosure timeline

03References

04Related CVE