Cyber Resilience

CVE-2024-10628

HighPublic PoC

Published: 26 January 2025

Published
26 January 2025
Modified
27 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0017 37.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10628 is a high-severity SQL Injection (CWE-89) vulnerability in Ays-Pro Quiz Maker. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-10628 is a SQL injection vulnerability affecting the Quiz Maker Business, Developer, and Agency plugins for WordPress. The flaw exists in all versions up to and including 8.8.0 for Business, 21.8.0 for Developer, and 31.8.0 for Agency, stemming from insufficient escaping of the user-supplied 'id' parameter and lack of adequate preparation in the existing SQL query. These three plugin variations share the same slug, which may trigger alerts even on the latest versions of any one of them.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, as indicated by the CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By appending malicious SQL queries to existing ones via the 'id' parameter, attackers can extract sensitive information from the database.

Advisories note that sites running patched versions beyond the affected releases are safe, and alerts can be dismissed after confirming the applicable plugin is updated. Patch details are available in the Quiz Maker Pro changelog on ays-pro.com, with analysis from sources like Wordfence and abrahack.com detailing the issue and remediation.

EU & UK References

Vulnerability details

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0…

more

(Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Direct remote exploitation of public-facing WordPress plugin via SQL injection (T1190) enables unauthenticated extraction of sensitive data from the backend database (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-26971Same vendor: Ays-Pro
CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89

Affected Assets

ays-pro
quiz maker
7.0.0 — 8.8.0.100 · 20.0.0 — 21.8.0.100 · 30.0.0 — 31.8.0.100

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation and sanitization of user inputs, directly addressing the insufficient escaping of the 'id' parameter that enables SQL injection in this CVE.

prevent

SI-2 requires timely remediation of identified flaws, ensuring the SQL injection vulnerability in the Quiz Maker plugins is patched to prevent exploitation.

detect

RA-5 involves periodic vulnerability scanning that would identify the SQL injection flaw in the affected WordPress plugins before exploitation.

References