CVE-2019-12517

Name of the Vulnerable Software and Affected Versions SlickQuiz plugin for WordPress versions through 1.3.7.1

Description A stored XSS issue was discovered, allowing unauthenticated users to submit malicious data via the /wp-admin/admin-ajax.php endpoint, specifically through the save quiz score functionality. This data is stored in the database and later executed within the WordPress backend at /wp-admin/admin.php?page=slickquiz for users with at least Subscriber rights. The issue arises from the plugin's failure to properly validate and sanitize user input, such as the name or email fields.

Recommendations For SlickQuiz plugin for WordPress versions through 1.3.7.1, consider disabling the save quiz score functionality until a patch is available to prevent exploitation. Restrict access to the /wp-admin/admin-ajax.php endpoint and the /wp-admin/admin.php?page=slickquiz page to minimize the risk of stored XSS attacks. Avoid using the name and email fields in the affected functionality until the issue is resolved.