CVE-2025-6174
published 2025-07-23CVE-2025-6174: The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back…
PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.46%
36.5th percentile
The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_cloud-init_24.3.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_cloud-init_24.3.1-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_cloud-init_23.3-6_on_cbl_mariner_2.0 | — | — |
| msrc | cm2_cloud-init_23.3-7_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
matchers: body contains alert('{{randstr}}') AND rel="stylesheet" AND qwiz_button, status 200- →Look for the '_stylesheet' parameter being reflected unsanitised in HTTP responses from pages running the Qwizcards plugin (versions through 3.9.4); presence of script payloads in that parameter indicates active exploitation. ↗
- →Nuclei-style detection: HTTP 200 response body simultaneously containing an injected alert payload, the string rel="stylesheet", and the string qwiz_button confirms successful XSS reflection via the vulnerable parameter.
- →Target high-privilege sessions (admin and other privileged users) as the attack vector; monitor for crafted requests containing script content in the '_stylesheet' GET/POST parameter directed at WordPress sites with Qwizcards installed. ↗
- ·The vulnerability affects Qwizcards plugin versions through 3.9.4 only; ensure version scope is confirmed before applying detections to avoid false positives on patched installations. ↗
- ·This is a Reflected XSS (not stored), meaning exploitation requires the victim to follow a crafted link; detections should focus on request/response pairs rather than stored content scanning. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m4x7-38rv-hjmc: The Qwizcards | online quizzes and flashcards WordPress plugin through 3
ghsa_unreviewed·2025-07-23
CVE-2025-6174 [MEDIUM] GHSA-m4x7-38rv-hjmc: The Qwizcards | online quizzes and flashcards WordPress plugin through 3
The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user.
VulnCheck
Qwizcards Reflected Cross-Site Scripting (XSS)
vulncheck·2025·CVSS 6.1
CVE-2025-6174 [MEDIUM] Qwizcards Reflected Cross-Site Scripting (XSS)
Qwizcards Reflected Cross-Site Scripting (XSS)
The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user.
Affected: Dan Kirshner Qwizcards | online quizzes and flashcards
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-6174
Microsoft
When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.
vendor_msrc·2025-06-10·CVSS 8.8
CVE-2024-6174 [HIGH] CWE-287 When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.
When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to r
Microsoft
Out-of-bounds Read in Wireshark
vendor_msrc·2023-11-14·CVSS 6.5
CVE-2023-6174 [MEDIUM] CWE-125 Out-of-bounds Read in Wireshark
Out-of-bounds Read in Wireshark
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6174
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitLab: GitLab
Customer Action Required: Yes
Remediation: wi
No detection rules found.
Nuclei
WordPress Qwizcards < 3.95 - Cross-Site Scripting (Reflected)
nuclei·CVSS 6.1
CVE-2025-6174 [MEDIUM] WordPress Qwizcards < 3.95 - Cross-Site Scripting (Reflected)
WordPress Qwizcards alert('{{randstr}}')"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "alert('{{randstr}}')"
- "rel=\"stylesheet\""
- "qwiz_button"
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100e958349467ca543052eecacde2f4278655f71221fa8e40a495b483599d5f00a20221008e34575b2061809170fa5334e71a3ee023901fa1b232bd84a445d42b808504df:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2025-07-23
Published
Exploited in the wild