Quiz And Survey Master < 7.1.14 - Reflected Cross-Site Scripting

2021-08-1000:00:00

wpscan.com

0.002 Low

EPSS

Percentile

60.8%

JSON

The plugin does not sanitise or escape the ‘s’ and paged GET parameter before outputting them in attributes, leading to Reflected Cross-Site Scripting issues

PoC

https://example.com/wp-admin/admin.php?page=mlw_quiz_list&s;=“>&paged;=”>

CPENameOperatorVersion
quiz-master-nextlt7.1.14

CPE	Name	Operator	Version
	quiz-master-next	lt	7.1.14

References

jvn.jp/en/jp/JVN65388002/

0.002 Low

EPSS

Percentile

60.8%

JSON

Related for WPVDB-ID:4DEB3464-00ED-483B-8D91-F9DFFE2D57CF