Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz watu allows SQL Injection.This issue affects Watu Quiz: from n/a through <= 3.4.3.
Published: 2025-04-22
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Watu Quiz plugin for WordPress contains an input validation flaw that allows malicious users to inject arbitrary SQL statements. The vulnerability, identified as CWE-89, can enable an attacker to read, modify, or delete data stored in the WordPress database, and in some configurations could be leveraged for further code execution. The impact is a loss of confidentiality and integrity of the site’s data and potentially a full compromise of the underlying server if the database credentials allow system-level access.

Affected Systems

This issue affects the Bob Watu Quiz plugin for WordPress, with versions from the earliest release up to and including 3.4.3. All installations of the plugin within that version range are potentially vulnerable. No specific vendor or operating system versions are listed, but the plugin operates on any WordPress site that supports the affected plugin.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation has not yet been widely observed, but this does not remove the risk of a targeted attack. The vulnerability is not listed in the CISA KEV catalog, making it less likely to have known active exploits. The likely attack vector is via the web interface of the WordPress site, where an attacker could submit crafted input to the plugin’s quiz creation or editing forms to inject SQL code. No authentication is required to target the exposed endpoint if the plugin does not enforce normal user access controls.

Generated by OpenCVE AI on April 30, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated version of the Watu Quiz plugin that removes the SQL injection flaw, such as upgrading to the latest release available.
  • If an upgrade cannot be performed immediately, restrict the quiz creation and editing features to trusted administrative users and block unauthenticated access to the plugin’s backend endpoints.
  • Review and sanitize all user-supplied data that is passed to database queries by the plugin, adopting parameterized queries or prepared statements to eliminate direct string concatenation.

Generated by OpenCVE AI on April 30, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12301 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz allows SQL Injection. This issue affects Watu Quiz: from n/a through 3.4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz allows SQL Injection. This issue affects Watu Quiz: from n/a through 3.4.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz watu allows SQL Injection.This issue affects Watu Quiz: from n/a through <= 3.4.3.
Title WordPress Watu Quiz <= 3.4.3 - SQL Injection Vulnerability WordPress Watu Quiz plugin <= 3.4.3 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Tue, 29 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Kibokolabs
Kibokolabs watu Quiz
CPEs cpe:2.3:a:kibokolabs:watu_quiz:*:*:*:*:*:wordpress:*:*
Vendors & Products Kibokolabs
Kibokolabs watu Quiz

Tue, 22 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz allows SQL Injection. This issue affects Watu Quiz: from n/a through 3.4.3.
Title WordPress Watu Quiz <= 3.4.3 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Kibokolabs Watu Quiz
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.802Z

Reserved: 2025-04-22T09:21:32.319Z

Link: CVE-2025-46242

cve-icon Vulnrichment

Updated: 2025-04-22T16:51:33.743Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:18.210

Modified: 2026-04-23T15:29:56.317

Link: CVE-2025-46242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:30:36Z

Weaknesses