Cyber Posture

CVE-2024-10628

HighPublic PoC

Published: 26 January 2025

Published
26 January 2025
Modified
27 September 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0009 25.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

Security Summary

CVE-2024-10628 is a SQL injection vulnerability affecting the Quiz Maker Business, Developer, and Agency plugins for WordPress. The flaw exists in all versions up to and including 8.8.0 for Business, 21.8.0 for Developer, and 31.8.0 for Agency, stemming from insufficient escaping of the user-supplied 'id' parameter and lack of adequate preparation in the existing SQL query. These three plugin variations share the same slug, which may trigger alerts even on the latest versions of any one of them.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, as indicated by the CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By appending malicious SQL queries to existing ones via the 'id' parameter, attackers can extract sensitive information from the database.

Advisories note that sites running patched versions beyond the affected releases are safe, and alerts can be dismissed after confirming the applicable plugin is updated. Patch details are available in the Quiz Maker Pro changelog on ays-pro.com, with analysis from sources like Wordfence and abrahack.com detailing the issue and remediation.

Details

CWE(s)
CWE-89

Affected Products

ays-pro
quiz maker
7.0.0 — 8.8.0.100 · 20.0.0 — 21.8.0.100 · 30.0.0 — 31.8.0.100

References