CVE-2023-0968

The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dn, 'email', 'points', and 'date' parameters in versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
WordfenceCNA
6.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
kibokolabswatu_quiz
𝑥
≤ 3.3.9
𝑥
= Vulnerable software versions
References
https://plugins.trac.wordpress.org/browser/watu/trunk/views/takings.php#L31
https://www.wordfence.com/threat-intel/vulnerabilities/id/6341bdcc-c99f-40c3-81c4-ad90ff19f802
https://plugins.trac.wordpress.org/browser/watu/trunk/views/takings.php#L31
https://www.wordfence.com/threat-intel/vulnerabilities/id/6341bdcc-c99f-40c3-81c4-ad90ff19f802