CVE-2024-10628

Exploit

EPSS 0.43%
Veröffentlicht 26.01.2025 06:15:22
Zuletzt bearbeitet 27.09.2025 00:16:26
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated SQL Injection via id

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

Mögliche Gegenmaßnahme

Quiz Maker Agency: Update to version 31.8.0.100, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Quiz Maker Agency

Version 30.0.0-31.8.0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ays-pro ≫ Quiz Maker SwEditionbusiness SwPlatformwordpress Version >= 7.0.0 < 8.8.0.100

Ays-pro ≫ Quiz Maker SwEditiondeveloper SwPlatformwordpress Version >= 20.0.0 < 21.8.0.100

Ays-pro ≫ Quiz Maker SwEditionagency SwPlatformwordpress Version >= 30.0.0 < 31.8.0.100

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.621

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://ays-pro.com/changelog-for-quiz-maker-pro

Product

https://ays-pro.com/wordpress/quiz-maker

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd873e5-fd65-48c3-a71d-aaf6d8372606?source=cve

Third Party Advisory

https://abrahack.com/posts/quiz-maker-sqli/

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd873e5-fd65-48c3-a71d-aaf6d8372606

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-10628