Platform
wordpress
Component
quiz-maker
Fixed in
6.5.9
CVE-2024-6028 describes a critical SQL Injection vulnerability discovered in the Quiz Maker plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized access and exfiltration of sensitive data. The vulnerability affects versions up to and including 6.5.8.3, and a patch is available to address the issue.
The SQL Injection vulnerability in Quiz Maker allows attackers to manipulate database queries directly. An attacker could craft malicious requests targeting the 'ays_questions' parameter to append arbitrary SQL code. Successful exploitation could result in the extraction of sensitive information such as user credentials, quiz content, and other stored data. Depending on the database configuration and permissions, an attacker might even be able to modify or delete data, leading to significant disruption and data loss. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale data breaches.
CVE-2024-6028 was publicly disclosed on June 25, 2024. While no active exploitation campaigns have been publicly confirmed as of this writing, the critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
80.30% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6028 is to immediately upgrade the Quiz Maker plugin to a version that includes the security fix. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting access to the vulnerable endpoint, implementing stricter input validation on the 'ays_questions' parameter, or using a Web Application Firewall (WAF) to filter out malicious SQL injection attempts. Monitor WordPress access logs for suspicious SQL queries targeting the Quiz Maker plugin. After upgrading, confirm the vulnerability is resolved by attempting a test injection (carefully, in a non-production environment) and verifying that the query is properly sanitized.
Update the Quiz Maker plugin to the latest available version. The most recent version includes a fix for the SQL Injection (SQL Injection) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6028 is a critical SQL Injection vulnerability affecting the Quiz Maker WordPress plugin, allowing attackers to potentially extract sensitive data from the database.
If you are using Quiz Maker WordPress plugin versions 6.5.8.3 or earlier, you are vulnerable to this SQL Injection attack.
Upgrade the Quiz Maker plugin to the latest version, which includes a fix for this vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the critical severity and ease of exploitation suggest a high risk of future attacks.
Refer to the Quiz Maker plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.