Stored Cross-Site Scripting Vulnerability in Chained Quiz Plugin for WordPress
CVE-2022-4217

5.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Chained Quiz
Vendor: CVE Published:; 2 December 2022

What is CVE-2022-4217?

The Chained Quiz plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) via the 'api_key' parameter. This vulnerability arises from inadequate input sanitization and output encoding, allowing authenticated attackers with admin privileges to inject arbitrary scripts. Such scripts may execute when users access compromised pages, which can lead to severe security threats, including data theft or session hijacking. Users of versions up to and including 1.3.2.2 should update immediately to mitigate risks associated with this vulnerability.

Affected Version(s)

Chained Quiz * <= 1.3.2.2

References

https://plugins.trac.wordpress.org/changeset/2824193

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

https://www.wordfence.com/vulnerability-advisories-contin...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2022
Vulnerability Reserved
Nov 29, 2022

Credit

Muhammad Zeeshan (Xib3rR4dAr)