CVE-2024-10633

Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated Arbitrary Shortcode Execution via content

highImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

7.3

CVSS Score

7.3

CVSS Score

high

Severity

31.8.0.100

Patched in

47d

Time to patch

Description

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Low

Confidentiality

Low

Integrity

Low

Availability

Technical Details

Affected versions>=30.0.0 <=31.8.0

PublishedJanuary 25, 2025

Last updatedMarch 12, 2025

Affected pluginquiz-maker

Source Code

WordPress.org SVN

Vulnerable v6.7.1.30

Browse source Download .zip

Patched

Patched version not available.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/eb81f83f-a0e7-46d9-b106-fe31f8ad3eb9?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database