Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Watu Quiz watu allows Reflected XSS.This issue affects Watu Quiz: from n/a through <= 3.4.2.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of user input when generating a web page. An attacker can craft a request containing malicious scripts that are echoed back to the victim’s browser, enabling the execution of arbitrary JavaScript in the context of the site’s domain. This can lead to cookie theft, defacement, or malicious redirects. The flaw is a classic Reflected XSS labeled CWE‑79.

Affected Systems

Affected is the Watu Quiz plugin for WordPress, developed by Bob (Bob Watu Quiz). All released versions up to and including 3.4.2 are vulnerable. WordPress sites that have installed the plugin in these versions must consider remediation.

Risk and Exploitability

The CVSS v3.1 score of 7.1 indicates a medium‑to‑high severity, while the EPSS score of less than 1 % suggests a low probability of active exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through a crafted URL or input field that reflects back unfiltered data; an attacker only needs to send a request to the site hosting the plugin to trigger the script execution in a visitor’s browser.

Generated by OpenCVE AI on May 1, 2026 at 01:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Watu Quiz plugin to the latest version that includes the XSS fix (any release newer than 3.4.2).
  • If an upgrade is not immediately possible, deploy a Web Application Firewall configured to detect and block reflected XSS payloads targeting the plugin’s endpoints.
  • Regularly audit the plugin’s pages for unsanitized outputs and ensure any user‑generated content is properly escaped before rendering.

Generated by OpenCVE AI on May 1, 2026 at 01:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9474 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Watu Quiz allows Reflected XSS. This issue affects Watu Quiz: from n/a through 3.4.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Watu Quiz allows Reflected XSS. This issue affects Watu Quiz: from n/a through 3.4.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Watu Quiz watu allows Reflected XSS.This issue affects Watu Quiz: from n/a through <= 3.4.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 17 Jul 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Kibokolabs
Kibokolabs watu Quiz
CPEs cpe:2.3:a:kibokolabs:watu_quiz:*:*:*:*:*:wordpress:*:*
Vendors & Products Kibokolabs
Kibokolabs watu Quiz

Wed, 02 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Watu Quiz allows Reflected XSS. This issue affects Watu Quiz: from n/a through 3.4.2.
Title WordPress Watu Quiz plugin <= 3.4.2 - Reflected Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Kibokolabs Watu Quiz
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.609Z

Reserved: 2025-03-26T09:20:54.384Z

Link: CVE-2025-30844

cve-icon Vulnrichment

Updated: 2025-04-02T13:23:19.305Z

cve-icon NVD

Status : Modified

Published: 2025-04-01T21:15:45.307

Modified: 2026-04-23T15:27:10.753

Link: CVE-2025-30844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:45:05Z

Weaknesses