CVE-2025-14579
BaseFortify
Publication date: 2026-01-12
Last updated on: 2026-01-13
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quiz_maker | quiz_maker | to 6.7.0.89 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14579 is a Stored Cross-Site Scripting (XSS) vulnerability in the Quiz Maker WordPress plugin versions before 6.7.0.89. The plugin does not properly sanitize and escape certain settings, allowing high privilege users like administrators to inject malicious scripts. This can happen even if the unfiltered_html capability is disabled, such as in multisite WordPress setups. Attackers can manipulate plugin settings via HTTP requests to store and execute malicious scripts when those settings are rendered. [1]
How can this vulnerability impact me? :
This vulnerability allows high privilege users to inject and execute malicious scripts within the WordPress site. This can lead to unauthorized actions, data theft, session hijacking, or defacement of the site. Since the malicious script is stored and executed when the affected setting is rendered, it can impact site integrity and user trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting HTTP requests to the Quiz Maker plugin's General Settings, specifically looking for manipulated parameters such as `ays_answer_default_count`, `ays_right_answer_sound`, or `ays_wrong_answer_sound` containing suspicious payloads like `3123a" onfocus=alert(1) autofocus=cmw4enky1hn`. You can use tools like curl or intercept HTTP requests with a proxy (e.g., Burp Suite) to check for these parameters. For example, a curl command to fetch the settings page or submit altered parameters could be used to test if the plugin is vulnerable. However, no specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Quiz Maker WordPress plugin to version 6.7.0.89 or later, where the issue has been fixed. Additionally, restrict high privilege user access and monitor plugin settings for suspicious changes until the update can be applied. [1]