CVE-2024-10574
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify Google Sheets integration credentials in Quiz Maker WordPress plugins, potentially leading to data manipulation and stored cross-site scripting (XSS) attacks. All WordPress sites using affected versions of Quiz Maker Business, Developer, or Agency plugins are vulnerable.
💻 Affected Systems
- Quiz Maker Business
- Quiz Maker Developer
- Quiz Maker Agency
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal Google Sheets data, inject malicious scripts that execute for all users, and potentially gain administrative access to the WordPress site through XSS payloads.
Likely Case
Attackers will modify Google Sheets credentials to redirect data to their own accounts and inject basic XSS payloads for session hijacking or credential theft.
If Mitigated
With proper web application firewalls and input validation, exploitation attempts would be blocked, limiting impact to failed attack attempts.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Business: >8.8.0, Developer: >21.8.0, Agency: >31.8.0
Vendor Advisory: https://ays-pro.com/changelog-for-quiz-maker-pro
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Quiz Maker plugin. 4. Click 'Update Now' if available. 5. If manual update needed, download latest version from vendor site and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
WordPressTemporarily disable the Quiz Maker plugin until patched
wp plugin deactivate quiz-maker-pro
Web Application Firewall Rule
allBlock requests to the vulnerable endpoint
Location: /wp-admin/admin-ajax.php?action=ays_save_google_credentials
🧯 If You Can't Patch
- Implement strict WAF rules blocking all requests to admin-ajax.php with the vulnerable action parameter
- Disable Google Sheets integration feature in plugin settings if possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Quiz Maker version. If version matches affected range, site is vulnerable.Check Version:
wp plugin list --name='quiz-maker' --field=versionVerify Fix Applied:
After update, verify version is above affected ranges. Test by attempting to access the vulnerable endpoint (should return proper authentication error).📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=ays_save_google_credentials
- Unusual modifications to plugin settings or Google Sheets credentials
Network Indicators:
- HTTP requests containing 'client_id' parameter with script tags or unusual values
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="action=ays_save_google_credentials"