Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-0968 — Cross-site Scripting in Watu Quiz

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

15.8%

top 5.25%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Prasunsen Watu Quiz Kibokolabs Watu Quiz

Timeline

PublishedMar 3

Latest updateJul 6

Description

The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'email', 'points', and 'date' parameters in versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5prasunsen/watu_quiz3.3.9

▶NVDkibokolabs/watu_quiz3.3.9

🔴Vulnerability Details

GHSA

GHSA-xwp2-26xm-vq22: The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'email', 'points', and 'date' parameters in versions↗2023-07-06

▶

CVEList

Watu Quiz <= 3.3.9 - Reflected Cross-Site Scripting↗2023-03-03

▶

💥Exploits & PoCs

Nuclei

WordPress Watu Quiz <3.3.9.1 - Cross-Site Scripting

▶