CVE-2025-11238Cross-site Scripting in Watu Quiz

CWE-79Cross-site Scripting3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.1%
top 65.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Prasunsen Watu Quiz
Timeline
PublishedOct 25

Description

The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP Referer header in versions less than, or equal to, 3.4.4 due to insufficient input sanitization and output escaping when the "Save source URL" option is enabled. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an user accesses an injected page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages1 packages

CVEListV5prasunsen/watu_quiz3.4.4

🔴Vulnerability Details

2
CVEList
Watu Quiz <= 3.4.4 - Unauthenticated Stored Cross-Site Scripting via HTTP Referer2025-10-25
GHSA
GHSA-rx6j-64vr-p2r7: The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP Referer header in versions less than, or equal to, 32025-10-25
CVE-2025-11238 — Cross-site Scripting in Watu Quiz | cvebase