CVE-2024-10628 – This SQL injection vulnerability in Quiz Maker ... (How to Fix)

Q: What is the severity of CVE-2024-10628?

CVE-2024-10628 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in Quiz Maker WordPress plugins allows unauthenticated attackers to inject malicious SQL queries via the 'id' parameter. This can lead to unauthorized database access and data exfiltration. All WordPress sites using vulnerable versions of Quiz Maker Business, Developer, or Agency plugins are affected.

📋 TL;DR

This SQL injection vulnerability in Quiz Maker WordPress plugins allows unauthenticated attackers to inject malicious SQL queries via the 'id' parameter. This can lead to unauthorized database access and data exfiltration. All WordPress sites using vulnerable versions of Quiz Maker Business, Developer, or Agency plugins are affected.

💻 Affected Systems

Products:

Quiz Maker Business
Quiz Maker Developer
Quiz Maker Agency

Versions: Business: up to and including 8.8.0, Developer: up to and including 21.8.0, Agency: up to and including 31.8.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All three plugin variations share the same plugin slug. WordPress sites with these plugins enabled are vulnerable by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of sensitive user data, administrative credentials, and potential privilege escalation to full site takeover.

🟠

Likely Case

Data exfiltration of quiz results, user information, and potentially WordPress user credentials from the database.

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking SQL injection patterns.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting SQL injection payloads targeting the 'id' parameter. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Business: >8.8.0, Developer: >21.8.0, Agency: >31.8.0

Vendor Advisory: https://ays-pro.com/changelog-for-quiz-maker-pro

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Quiz Maker plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from vendor site and manually update.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Implement web application firewall rules to block SQL injection patterns targeting the 'id' parameter.

Temporary Plugin Deactivation

WordPress

Deactivate Quiz Maker plugin until patched version is available.

wp plugin deactivate quiz-maker

🧯 If You Can't Patch

Implement strict input validation for all 'id' parameters in application code
Deploy network segmentation to limit database access from web servers

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Quiz Maker version number. Compare against affected versions.

Check Version:

wp plugin get quiz-maker --field=version

Verify Fix Applied:

Confirm plugin version is above vulnerable thresholds: Business >8.8.0, Developer >21.8.0, Agency >31.8.0

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple requests with SQL-like patterns in 'id' parameter
Error logs showing SQL syntax errors

Network Indicators:

HTTP requests with SQL injection payloads in URL parameters
Unusual database connection patterns from web servers

SIEM Query:

source="web_logs" AND (uri="*id=*UNION*" OR uri="*id=*SELECT*" OR uri="*id=*INSERT*" OR uri="*id=*UPDATE*")

📊 Metadata

CVE ID: CVE-2024-10628

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.43% exploit probability (62.3th percentile)

Published: January 26, 2025

Last Updated: September 27, 2025

🔗 References

https://abrahack.com/posts/quiz-maker-sqli/ Exploit,Third Party Advisory
https://ays-pro.com/changelog-for-quiz-maker-pro Product
https://ays-pro.com/wordpress/quiz-maker Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd873e5-fd65-48c3-a71d-aaf6d8372606?source=cve Third Party Advisory
https://abrahack.com/posts/quiz-maker-sqli/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10628, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Quiz Maker by Ays Pro

Quiz Maker by Ays Pro

Quiz Maker by Ays Pro

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

WAF Rule Implementation

Temporary Plugin Deactivation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities