6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
The plugin did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link
https://example.com/quiz/test-quiz/?result_id=1597bc5d9f9a2c9659152522904df0c0%3C%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
Reproduction steps:
1) Create a quiz.
2) In the "results pages" tab add the %RESULT_LINK% template to display a link to your result when finishing the quiz.
3) Publish your quiz or click the preview button.
4) Take the quiz and copy your results link:
format: https://[wp-host]/quiz/[quiz-name]/?result_id=[result_id]
5) Append <"><script>alert(document.domain)</script> to the result_id and reload the page.
Note (WPScanTeam): As the affected function is hooked to the wp_head action, only the result_id is required to perform the attack, no need to go to the quiz page, ie https://example.com/?result_id=1597bc5d9f9a2c9659152522904df0c0%3C%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N