Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-4220

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_questions() function. This makes it possible for unauthenticated attackers to delete questions from quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published

2022-12-02T21:15:12.173

Last Modified

2024-11-21T07:34:49.007

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	kibokolabs	chained_quiz	≤ 1.3.2.4	Yes

References

https://gist.github.com/Xib3rR4dAr/417a11bcb9b8da28cfe5ba1c17c44d0e Exploit, Third Party Advisory ([email protected])
https://plugins.trac.wordpress.org/browser/chained-quiz/trunk/controllers/questions.php#L73 Patch, Third Party Advisory ([email protected])
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2826623%40chained-quiz&new=2826623%40chained-quiz&sfp_email=&sfph_mail= Patch, Third Party Advisory ([email protected])
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4220 Third Party Advisory ([email protected])
https://gist.github.com/Xib3rR4dAr/417a11bcb9b8da28cfe5ba1c17c44d0e Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://plugins.trac.wordpress.org/browser/chained-quiz/trunk/controllers/questions.php#L73 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2826623%40chained-quiz&new=2826623%40chained-quiz&sfp_email=&sfph_mail= Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4220 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)