漏洞标题
Quiz Maker Business、Developer及Agency<=(多个版本)存在权限验证缺失、存储型跨站脚本漏洞
漏洞描述信息
WordPress用的Quiz Maker Business、Developer和Agency插件在所有版本中(Business版本8.8.0及之前,Developer版本21.8.0及之前,Agency版本31.8.0及之前),由于在'ays_save_google_credentials'函数中缺少权限检查,存在未经授权的数据修改漏洞。这使得未认证攻击者能够修改插件设置中的Google Sheets集成凭证。由于'client_id'参数在输出时未经过净化或转义,此漏洞也可以被利用在页面中注入任意Web脚本,这些脚本会在用户访问被注入的页面时执行。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
漏洞类别
授权机制缺失
漏洞标题
Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Missing Authorization to Google Sheets Integration Credentials Modification and Stored Cross-Site Scripting
漏洞描述信息
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This makes it possible for unauthenticated attackers to modify the Google Sheets integration credentials within the plugin's settings. Because the 'client_id' parameter is not sanitized or escaped when used in output, this vulnerability could also be leveraged to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
漏洞类别
授权机制缺失
漏洞标题
WordPress plugin Quiz Maker Business, Developer, and Agency 安全漏洞
漏洞描述信息
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Quiz Maker Business, Developer, and Agency存在安全漏洞,该漏洞源于在输出中使用client_id参数时没有进行清理或转义,导致容易受到未经授权的数据修改。
CVSS信息
N/A
漏洞类别
其他