Vulnerability Description
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This makes it possible for unauthenticated attackers to modify the Google Sheets integration credentials within the plugin's settings. Because the 'client_id' parameter is not sanitized or escaped when used in output, this vulnerability could also be leveraged to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://ays-pro.com/changelog-for-quiz-maker-pro
- https://ays-pro.com/wordpress/quiz-maker
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a4feb3-908f-4fff-84f
FAQ
What is CVE-2024-10574?
CVE-2024-10574 is a vulnerability with a CVSS score of 7.2 (HIGH). The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function ...
How severe is CVE-2024-10574?
CVE-2024-10574 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-10574?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.