Qwiz Online Quizzes And Flashcards <= 3.36 - Unauthenticated Reflected Cross Site Scripting



Description
The qname, i_qwiz, session_id and username parameters passed to the registration_complete.php file are affected by XSS issues.

Plugin has been closed while the issue is being fixed.
Proof of Concept
/wp-content/plugins/qwiz-online-quizzes-and-flashcards/registration_complete.php?&qname=</script><script>alert("XSS")</script>

Affects Plugin

fixed in version 3.37

References

PACKETSTORM 154403

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ricardo Sanchez
Views 3643
Verified No
WPVDB ID 9874

Timeline

Publicly Published 2019-09-07 (2 months ago)
Added 2019-09-10 (2 months ago)
Last Updated 2019-09-12 (2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin