Quiz Maker < 6.5.2.5 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification | CVE 2024-1078 | Plugin Vulnerabilities

Description

The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.

Affects Plugins

Fixed in 6.5.2.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

4ce7ab1b-bbff-4f1a-abd8-3284cca1a881

Timeline

Publicly Published

2024-02-06 (about 3 months ago)

Added

2024-02-06 (about 3 months ago)

Last Updated

2024-02-06 (about 3 months ago)

Other

Published

Title

Published

2023-11-23

Title

Debug Log Manager < 2.2.2 - Subscriber+ Debug Log Clearing

Published

2024-04-29

Title

Academy LMS < 1.9.17 - Missing Authorization

Published

2022-08-19

Title

Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Deletion

Published

2023-12-27

Title

Piotnet Forms < 1.0.30 - Missing Authorization via multiple AJAX actions

Published

2023-10-27

Title

Post Meta Data Manager < 1.2.1 - Subscriber+ Privilege Escalation