WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the ‘total_questions’ POST parameter when a user completes a quiz. The code in question accepts the ‘total_questions’ parameter without escaping the special characters: models/quiz.php $output = str_replace(‘{{questions}}’, $_POST[‘total_questions’], $output);
CPE | Name | Operator | Version |
---|---|---|---|
chained-quiz | lt | 1.1.8.2 |