CVE-2023-6155
Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Quiz Maker WordPress plugin before 6.4.9.5 does not adequately authorize the `ays_quiz_author_user_search` AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses.
El complemento Quiz Maker WordPress anterior a 6.4.9.5 no autoriza adecuadamente la acción AJAX `ays_quiz_author_user_search`, lo que permite que un atacante no autenticado realice una búsqueda de usuarios del sistema y, en última instancia, filtre las direcciones de correo electrónico de los usuarios.
The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_quiz_author_user_search function in all versions up to 6.4.9.5 (exclusive). This makes it possible for unauthenticated attackers to perform a search for users and obtain user email addresses.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-11-15 CVE Reserved
- 2023-11-30 CVE Published
- 2024-07-10 EPSS Updated
- 2024-09-12 CVE Updated
- 2024-09-12 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-287: Improper Authentication
- CWE-862: Missing Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/c62be802-e91a-4bcf-990d-8fd8ef7c9a28 | 2024-09-12 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ays-pro Search vendor "Ays-pro" | Quiz Maker Search vendor "Ays-pro" for product "Quiz Maker" | < 6.4.9.5 Search vendor "Ays-pro" for product "Quiz Maker" and version " < 6.4.9.5" | wordpress |
Affected
| ||||||