cbcvebase.
CVE-2025-6174
published 2025-07-23

CVE-2025-6174: The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.46%
36.5th percentile
The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user.

Affected

6 ranges
VendorProductVersion rangeFixed in
msrcazl3_cloud-init_24.3.1-1_on_azure_linux_3.0
msrcazl3_cloud-init_24.3.1-2_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_cloud-init_23.3-6_on_cbl_mariner_2.0
msrccm2_cloud-init_23.3-7_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

other_stylesheet
sigma
matchers: body contains alert('{{randstr}}') AND rel="stylesheet" AND qwiz_button, status 200
  • Look for the '_stylesheet' parameter being reflected unsanitised in HTTP responses from pages running the Qwizcards plugin (versions through 3.9.4); presence of script payloads in that parameter indicates active exploitation.
  • Nuclei-style detection: HTTP 200 response body simultaneously containing an injected alert payload, the string rel="stylesheet", and the string qwiz_button confirms successful XSS reflection via the vulnerable parameter.
  • Target high-privilege sessions (admin and other privileged users) as the attack vector; monitor for crafted requests containing script content in the '_stylesheet' GET/POST parameter directed at WordPress sites with Qwizcards installed.
  • ·The vulnerability affects Qwizcards plugin versions through 3.9.4 only; ensure version scope is confirmed before applying detections to avoid false positives on patched installations.
  • ·This is a Reflected XSS (not stored), meaning exploitation requires the victim to follow a crafted link; detections should focus on request/response pairs rather than stored content scanning.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.