CVE-2023-0429 – Watu Quiz < 3.3.8.3 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0429
The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Watu Quiz for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.3.8.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/67d84549-d368-4504-9fa9-b1fce63cb967 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-10111 – Watu Quiz Plugin Exam exam.php watu_exams sql injection
https://notcve.org/view.php?id=CVE-2015-10111
A vulnerability was found in Watu Quiz Plugin up to 2.6.7 on WordPress. It has been rated as critical. This issue affects the function watu_exams of the file controllers/exam.php of the component Exam Handler. The manipulation of the argument quiz leads to sql injection. The attack may be initiated remotely. • https://github.com/wp-plugins/watu/commit/bf42e7cfd819a3e76cf3e1465697e89f4830590c https://vuldb.com/?ctiid.230651 https://vuldb.com/?id.230651 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •