Platform
wordpress
Component
quiz-maker
Opgelost in
6.5.9
CVE-2024-6028 describes a critical SQL Injection vulnerability discovered in the Quiz Maker plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized access and exfiltration of sensitive data. The vulnerability affects versions up to and including 6.5.8.3, and a patch is available to address the issue.
The SQL Injection vulnerability in Quiz Maker allows attackers to manipulate database queries directly. An attacker could craft malicious requests targeting the 'ays_questions' parameter to append arbitrary SQL code. Successful exploitation could result in the extraction of sensitive information such as user credentials, quiz content, and other stored data. Depending on the database configuration and permissions, an attacker might even be able to modify or delete data, leading to significant disruption and data loss. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale data breaches.
CVE-2024-6028 was publicly disclosed on June 25, 2024. While no active exploitation campaigns have been publicly confirmed as of this writing, the critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the Quiz Maker plugin, particularly those running versions prior to 6.5.8.3, are at significant risk. Shared hosting environments are especially vulnerable, as attackers could potentially exploit this vulnerability to gain access to other websites hosted on the same server. Websites with sensitive user data stored in the Quiz Maker database are at the highest risk.
• wordpress / composer / npm:
grep -r "ays_questions" /var/www/html/wp-content/plugins/quiz-maker/• generic web:
curl -I "https://your-wordpress-site.com/?ays_questions=1' OR '1'='1" # Check for SQL injection responsedisclosure
Exploit Status
EPSS
80.30% (99% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-6028 is to immediately upgrade the Quiz Maker plugin to a version that includes the security fix. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting access to the vulnerable endpoint, implementing stricter input validation on the 'ays_questions' parameter, or using a Web Application Firewall (WAF) to filter out malicious SQL injection attempts. Monitor WordPress access logs for suspicious SQL queries targeting the Quiz Maker plugin. After upgrading, confirm the vulnerability is resolved by attempting a test injection (carefully, in a non-production environment) and verifying that the query is properly sanitized.
Actualice el plugin Quiz Maker a la última versión disponible. La versión más reciente incluye una corrección para la vulnerabilidad de inyección SQL.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-6028 is a critical SQL Injection vulnerability affecting the Quiz Maker WordPress plugin, allowing attackers to potentially extract sensitive data from the database.
If you are using Quiz Maker WordPress plugin versions 6.5.8.3 or earlier, you are vulnerable to this SQL Injection attack.
Upgrade the Quiz Maker plugin to the latest version, which includes a fix for this vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the critical severity and ease of exploitation suggest a high risk of future attacks.
Refer to the Quiz Maker plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.