The Quiz and Survey Master (QSM) WordPress plugin before 9.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
History

Mon, 07 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 27 Sep 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master
Weaknesses CWE-79
CPEs cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:*
Vendors & Products Expresstech
Expresstech quiz And Survey Master
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}


Mon, 23 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 23 Sep 2024 06:15:00 +0000

Type Values Removed Values Added
Description The Quiz and Survey Master (QSM) WordPress plugin before 9.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title Quiz and Survey Master (QSM) < 9.1.3 - Author+ Stored XSS
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-09-23T06:00:05.005Z

Updated: 2024-10-07T20:39:27.674Z

Reserved: 2024-09-12T18:04:20.275Z

Link: CVE-2024-8758

cve-icon Vulnrichment

Updated: 2024-09-23T15:29:24.439Z

cve-icon NVD

Status : Modified

Published: 2024-09-23T06:15:04.310

Modified: 2024-10-07T21:35:03.193

Link: CVE-2024-8758

cve-icon Redhat

No data.