CVE-2022-4215: XSS
First published: Fri Dec 02 2022(Updated: )
The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Kibokolabs Chained Quiz | <=1.3.2.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-4215.
What is the title of the vulnerability?
The title of the vulnerability is 'The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameter on the chainedquiz_list page in versions up to, and including, 1.3.2.3 due to insufficient input sanitization and output escaping.'
What is the severity level of CVE-2022-4215?
The severity level of CVE-2022-4215 is medium, with a severity value of 6.1.
How does the vulnerability affect the Chained Quiz plugin?
The vulnerability affects the Chained Quiz plugin in versions up to, and including, 1.3.2.3.
How can an attacker exploit CVE-2022-4215?
An attacker can exploit CVE-2022-4215 by sending a specially crafted request with a malicious 'date' parameter to the 'chainedquiz_list' page of the Chained Quiz plugin, which can lead to the execution of arbitrary code or script in the user's browser.
- collector/nvd-index
- vendor/kibokolabs
- canonical/kibokolabs chained quiz
- version/kibokolabs chained quiz/1.3.2.3