CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10574 – Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Missing Authorization to Google Sheets Integration Credentials Modification and Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-10574
25 Jan 2025 — The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This makes it possible for unauthenticated attackers to modify the Google Sheets integration credentials within the plugin's settings. Because the 'client_id' parameter is... • https://ays-pro.com/changelog-for-quiz-maker-pro • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10628 – Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated SQL Injection via id
https://notcve.org/view.php?id=CVE-2024-10628
25 Jan 2025 — The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be... • https://ays-pro.com/changelog-for-quiz-maker-pro • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10633 – Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated Arbitrary Shortcode Execution via content
https://notcve.org/view.php?id=CVE-2024-10633
25 Jan 2025 — The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The Quiz Maker Business, Developer, ... • https://ays-pro.com/changelog-for-quiz-maker-pro • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10636 – Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Reflected DOM-Based Cross-Site Scripting via content
https://notcve.org/view.php?id=CVE-2024-10636
25 Jan 2025 — The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an act... • https://ays-pro.com/changelog-for-quiz-maker-pro • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 84%CPEs: 1EXPL: 1CVE-2024-6028 – Quiz Maker <= 6.5.8.3 - Unauthenticated SQL Injection via 'ays_questions' Parameter
https://notcve.org/view.php?id=CVE-2024-6028
24 Jun 2024 — The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento Quiz Maker para WordPress es vul... • https://github.com/truonghuuphuc/CVE-2024-6028-Poc • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1078 – Quiz Maker <= 6.5.2.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification
https://notcve.org/view.php?id=CVE-2024-1078
06 Feb 2024 — The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes. El complemento Quiz Maker para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en las funciones ays... • https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1079 – Quiz Maker <= 6.5.2.4 - Missing Authorization to Unauthenticated Quiz Data Retrieval
https://notcve.org/view.php?id=CVE-2024-1079
06 Feb 2024 — The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_show_results() function in all versions up to, and including, 6.5.2.4. This makes it possible for unauthenticated attackers to fetch arbitrary quiz results which can contain PII. El complemento Quiz Maker para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la función ays_show_results() en todas las versiones hasta la 6.5... • https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22027 – Quiz Maker <= 6.5.0.5 - Denial of Service
https://notcve.org/view.php?id=CVE-2024-22027
12 Jan 2024 — Improper input validation vulnerability in WordPress Quiz Maker Plugin prior to 6.5.0.6 allows a remote authenticated attacker to perform a Denial of Service (DoS) attack against external services. Una vulnerabilidad de validación de entrada incorrecta en WordPress Quiz Maker Plugin anterior a 6.5.0.6 permite a un atacante remoto autenticado realizar un ataque de denegación de servicio (DoS) contra servicios externos. The Quiz Maker plugin for WordPress is vulnerable to denial of service in all versions up ... • https://jvn.jp/en/jp/JVN37326856 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6166 – Quiz Maker < 6.4.9.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6166
30 Nov 2023 — The Quiz Maker WordPress plugin before 6.4.9.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting El complemento Quiz Maker WordPress anterior a 6.4.9.5 no escapa de las URL generadas antes de mostrarlas en atributos, lo que genera Cross-Site Scripting Reflejado. The Quiz Maker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 6.4.9.4 due to insufficient input sanitization and output escaping. Th... • https://wpscan.com/vulnerability/e6155d9b-f6bb-4607-ad64-1976a8afe907 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6155 – Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure
https://notcve.org/view.php?id=CVE-2023-6155
30 Nov 2023 — The Quiz Maker WordPress plugin before 6.4.9.5 does not adequately authorize the `ays_quiz_author_user_search` AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses. El complemento Quiz Maker WordPress anterior a 6.4.9.5 no autoriza adecuadamente la acción AJAX `ays_quiz_author_user_search`, lo que permite que un atacante no autenticado realice una búsqueda de usuarios del sistema y, en última instancia, filtre las direcciones ... • https://wpscan.com/vulnerability/c62be802-e91a-4bcf-990d-8fd8ef7c9a28 • CWE-287: Improper Authentication CWE-862: Missing Authorization •