Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated SQL Injection via id

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE CVE-2024-10628
CVSS High (7.5)
Publicly Published January 25, 2025
Last Updated April 3, 2025
Researcher abrahack
Description

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

References

3 affected software package

Software Type Plugin
Software Slug quiz-maker (view on wordpress.org)
Patched? Yes
Affected Version
  • 20.0.0 - 21.8.0
Patched Version
  • 21.8.0.100
Software Type Plugin
Software Slug quiz-maker (view on wordpress.org)
Patched? Yes
Affected Version
  • 7.0.0 - 8.8.0
Patched Version
  • 8.8.0.100
Software Type Plugin
Software Slug quiz-maker (view on wordpress.org)
Patched? Yes
Affected Version
  • 30.0.0 - 31.8.0
Patched Version
  • 31.8.0.100
This record contains material that is subject to copyright

Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. License Detail.