CVE-2019-17599

moderate-risk
Published 2019-12-13

The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter (and/or the quiz_id parameter). The component is: admin/quiz-options-page.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL.

Do I need to act?

-
0.74% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Expresstech

References (8)

Exploit https://github.com/QuizandSurveyMaster/quiz_master_next/issues/795
Third Party Advisory https://github.com/QuizandSurveyMaster/quiz_master_next/pull/796
Release Notes https://wordpress.org/plugins/quiz-master-next/#developers
Exploit https://wpvulndb.com/vulnerabilities/9977
Exploit https://github.com/QuizandSurveyMaster/quiz_master_next/issues/795
Third Party Advisory https://github.com/QuizandSurveyMaster/quiz_master_next/pull/796
Release Notes https://wordpress.org/plugins/quiz-master-next/#developers
Exploit https://wpvulndb.com/vulnerabilities/9977
30
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal