CVE-2024-2640

The Watu Quiz WordPress plugin before 3.4.1.2 does not sanitise and escape some of its settings, which could allow users such as authors (if they've been authorized by admins) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:kibokolabs:watu_quiz:*:*:*:*:*:wordpress:*:*

History

24 Jul 2024, 20:04

Type Values Removed Values Added
CWE CWE-79
References () https://wpscan.com/vulnerability/d46db635-9d84-4268-a789-406a0db4cccf/ - () https://wpscan.com/vulnerability/d46db635-9d84-4268-a789-406a0db4cccf/ - Exploit, Third Party Advisory
CPE cpe:2.3:a:kibokolabs:watu_quiz:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
First Time Kibokolabs
Kibokolabs watu Quiz

12 Jul 2024, 12:49

Type Values Removed Values Added
Summary
  • (es) El complemento Watu Quiz para WordPress anterior a 3.4.1.2 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios como autores (si han sido autorizados por los administradores) realizar ataques de Cross Site Scripting almacenado incluso cuando la capacidad unfiltered_html no está permitida.

12 Jul 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-12 06:15

Updated : 2024-08-01 13:49


NVD link : CVE-2024-2640

Mitre link : CVE-2024-2640

CVE.ORG link : CVE-2024-2640


JSON object : View

Products Affected

kibokolabs

  • watu_quiz
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')