CVE-2025-23494

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in binnyva Quizzin quizzin allows Reflected XSS.This issue affects Quizzin: from n/a through <= 1.01.4.

Security Summary

CVE-2025-23494 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Quizzin WordPress plugin developed by binnyva. This issue affects Quizzin versions from n/a through 1.01.4, allowing malicious input to be reflected in web page generation without proper neutralization.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed for exploitation. An attacker can craft a malicious link or input that, when interacted with by a victim (such as clicking or submitting), executes scripts in the victim's browser context. This enables limited impacts on confidentiality, integrity, and availability, with a changed scope that could affect other users or site resources.

The Patchstack advisory documents this Reflected XSS vulnerability in the WordPress Quizzin plugin up to version 1.01.4, providing details for security practitioners to review for mitigation steps such as applying available patches or updates.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/quizzin/vulnerability/wordpress-quizzin-plugin-1-01-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com