CVE-2024-10574

CVE-2024-10574 is a vulnerability in the Quiz Maker Business, Developer, and Agency plugins for WordPress, stemming from a missing capability check on the 'ays_save_google_credentials' function. It affects all versions up to and including 8.8.0 for Business, 21.8.0 for Developer, and 31.8.0 for Agency. The flaw enables unauthorized modification of data, specifically allowing attackers to alter Google Sheets integration credentials in the plugin's settings. Additionally, the 'client_id' parameter lacks sanitization or escaping when output, enabling cross-site scripting (XSS) via arbitrary web script injection. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required, achieving a scope change due to its impact on confidentiality and integrity. By targeting the 'ays_save_google_credentials' endpoint, attackers can overwrite Google credentials, potentially disrupting integrations or enabling unauthorized access to linked services. Leveraging the unsanitized 'client_id', they can inject scripts that execute on any page displaying the tampered credentials, leading to session hijacking, data theft, or further site compromise for visiting users.

Vendor advisories, including the Quiz Maker changelog at ays-pro.com/changelog-for-quiz-maker-pro and product page at ays-pro.com/wordpress/quiz-maker, detail the issue, while Wordfence's threat intelligence at wordfence.com/threat-intel/vulnerabilities/id/d8a4feb3-908f-4fff-84f2-099f56d46f5b provides analysis. Mitigation requires updating to patched versions beyond the affected releases, as the vulnerability persists in all listed versions up to the specified endpoints.