CVE-2024-10633
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes through Quiz Maker plugins. Attackers can potentially inject malicious code, redirect users, or access sensitive data. All WordPress sites using vulnerable versions of Quiz Maker Business, Developer, or Agency plugins are affected.
💻 Affected Systems
- Quiz Maker Business
- Quiz Maker Developer
- Quiz Maker Agency
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through privilege escalation, data theft, or malware injection via malicious shortcode execution.
Likely Case
Unauthenticated attackers execute arbitrary shortcodes to redirect users, inject ads, or deface content.
If Mitigated
Limited impact if shortcode execution is restricted through security plugins or proper access controls.
🎯 Exploit Status
Attack requires no authentication and minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Business 8.8.1+, Developer 21.8.1+, Agency 31.8.1+
Vendor Advisory: https://ays-pro.com/changelog-for-quiz-maker-pro
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Quiz Maker plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from vendor site and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugins
allTemporarily deactivate Quiz Maker plugins until patched.
Restrict shortcode execution
allUse security plugins to limit shortcode execution to authenticated users only.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious shortcode patterns
- Restrict plugin access through .htaccess or web server configuration
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Quiz Maker version numbers.Check Version:
wp plugin list --name='*quiz maker*' --field=versionVerify Fix Applied:
Confirm plugin version is Business 8.8.1+, Developer 21.8.1+, or Agency 31.8.1+.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode execution patterns in WordPress debug logs
- Multiple failed shortcode execution attempts from single IP
Network Indicators:
- HTTP POST requests to quiz maker endpoints with shortcode parameters
- Unusual traffic to /wp-admin/admin-ajax.php
SIEM Query:
source="wordpress.log" AND "do_shortcode" AND "quiz_maker"