Cross-Site Scripting Vulnerability in SlickQuiz Plugin for WordPress
CVE-2019-12517

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Slickquiz
Vendor: CVE Published:; 13 September 2019

Summary

An XSS vulnerability in the SlickQuiz plugin for WordPress allows unauthenticated users to exploit the save_quiz_score functionality at the /wp-admin/admin-ajax.php endpoint. This vulnerability permits attackers to submit quiz solutions, which are stored in the database and later displayed in the WordPress backend. As a result, when these solutions contain malicious scripts, they can be triggered within the admin interface for all users having at least Subscriber rights. The lack of proper validation and sanitization for input fields, such as name and email, enables the execution of these scripts, putting all users at risk.

References

https://wordpress.org/plugins/slickquiz/#developers

x_refsource_MISC

http://packetstormsecurity.com/files/154439/WordPress-Sli...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 13, 2019
Vulnerability Reserved
Jun 1, 2019