- Description
- The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This makes it possible for unauthenticated attackers to modify the Google Sheets integration credentials within the plugin's settings. Because the 'client_id' parameter is not sanitized or escaped when used in output, this vulnerability could also be leveraged to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Source
- security@wordfence.com
- NVD status
- Received
CVSS 3.1
- Type
- Primary
- Base score
- 7.2
- Impact score
- 2.7
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Severity
- HIGH
- security@wordfence.com
- CWE-862
- Hype score
- Not currently trending
CVE-2024-10574 01/26/2025 06:15:22 AM BaseSeverity: HIGH The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_... https://t.co/6DgY7KsU0p
@CVETracker
26 Jan 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2024-10574 | AYS Pro Plugins Quiz Maker Business, Developer, and Agency Plugin up to 21.8.0 on WordPress Setting ays_save_google_credentials client_id authorization) has been published on https://t.co/tbgQk86yEj
@WolfgangSesin
26 Jan 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2024-10574 | AYS Pro Plugins Quiz Maker Business, Developer, and Agency Plugin up to 21.8.0 on WordPress Setting ays_save_google_credentials client_id authorization) has been published on https://t.co/96Ic1aYov0
@WolfgangSesin
26 Jan 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-10574 Unauthorized Data Modification and Script Injection in WordPress Quiz Plugins https://t.co/4JZBCYZci9
@VulmonFeeds
26 Jan 2025
77 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A CVE of mine CVE-2024-10574 (CVSS:3.1 7.2 High) has been released today. Full disclosure exclusively on my blog https://t.co/Z46zGduZ0M, on the 28th March 2025. You can read more about it at the link below https://t.co/Lijdlmsi2P Please save the date.
@theabrahack
25 Jan 2025
94 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes