Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Missing Authorization to Google Sheets Integration Credentials Modification and Stored Cross-Site Scripting

Missing Authorization

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE	CVE-2024-10574
CVSS	High (7.2)
Publicly Published	January 25, 2025
Last Updated	March 12, 2025
Researcher	abrahack

Description

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This makes it possible for unauthenticated attackers to modify the Google Sheets integration credentials within the plugin's settings. Because the 'client_id' parameter is not sanitized or escaped when used in output, this vulnerability could also be leveraged to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

References

www.wordfence.com

3 affected software package

Software Type	Plugin
Software Slug	quiz-maker (view on wordpress.org)
Patched?	Yes
Affected Version	20.0.0 - 21.8.0
Patched Version	21.8.0.100
Software Type	Plugin
Software Slug	quiz-maker (view on wordpress.org)
Patched?	Yes
Affected Version	7.0.0 - 8.8.0
Patched Version	8.8.0.100
Software Type	Plugin
Software Slug	quiz-maker (view on wordpress.org)
Patched?	Yes
Affected Version	30.0.0 - 31.8.0
Patched Version	31.8.0.100

This record contains material that is subject to copyright

Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. License Detail.