CVE-2024-10574

Name of the Vulnerable Software and Affected Versions The Quiz Maker Business plugin for WordPress versions up to, and including, 8.8.0 The Quiz Maker Developer plugin for WordPress versions up to, and including, 21.8.0 The Quiz Maker Agency plugin for WordPress versions up to, and including, 31.8.0

Description The issue is related to unauthorized modification of data due to a missing capability check on the ays save google credentials function. This allows unauthenticated attackers to modify the Google Sheets integration credentials within the plugin's settings. Additionally, because the client id parameter is not sanitized or escaped when used in output, this could also be leveraged to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations The Quiz Maker Business plugin for WordPress versions up to, and including, 8.8.0 should update to a version higher than 8.8.0 to resolve the issue. The Quiz Maker Developer plugin for WordPress versions up to, and including, 21.8.0 should update to a version higher than 21.8.0 to resolve the issue. The Quiz Maker Agency plugin for WordPress versions up to, and including, 31.8.0 should update to a version higher than 31.8.0 to resolve the issue.