CVE-2024-10633
Published: 26 January 2025
Description
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Security Summary
CVE-2024-10633 is an arbitrary shortcode execution vulnerability in the Quiz Maker Business, Developer, and Agency plugins for WordPress. It affects all versions up to and including 8.8.0 for Business, 21.8.0 for Developer, and 31.8.0 for Agency. The issue arises because the plugins allow execution of an action that fails to properly validate a value before calling do_shortcode, enabling unauthenticated attackers to run arbitrary shortcodes. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-95.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. By targeting the insufficiently validated input, they can execute arbitrary shortcodes on affected WordPress sites, leading to low impacts on confidentiality, integrity, and availability as per the CVSS metrics.
Mitigation details are available in advisories from Wordfence and the plugin developer's changelog and product page at ays-pro.com, which reference updates addressing the shortcode validation flaw. Security practitioners should urge site owners to update the plugins beyond the listed vulnerable versions.
Details
- CWE(s)