CVE-2024-10628
Published: 26 January 2025
Summary
CVE-2024-10628 is a high-severity SQL Injection (CWE-89) vulnerability in Ays-Pro Quiz Maker. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-10628 is a SQL injection vulnerability affecting the Quiz Maker Business, Developer, and Agency plugins for WordPress. The flaw exists in all versions up to and including 8.8.0 for Business, 21.8.0 for Developer, and 31.8.0 for Agency, stemming from insufficient escaping of the user-supplied 'id' parameter and lack of adequate preparation in the existing SQL query. These three plugin variations share the same slug, which may trigger alerts even on the latest versions of any one of them.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, as indicated by the CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By appending malicious SQL queries to existing ones via the 'id' parameter, attackers can extract sensitive information from the database.
Advisories note that sites running patched versions beyond the affected releases are safe, and alerts can be dismissed after confirming the applicable plugin is updated. Patch details are available in the Quiz Maker Pro changelog on ays-pro.com, with analysis from sources like Wordfence and abrahack.com detailing the issue and remediation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33588
Vulnerability details
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0…
more
(Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress plugin via SQL injection (T1190) enables unauthenticated extraction of sensitive data from the backend database (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation and sanitization of user inputs, directly addressing the insufficient escaping of the 'id' parameter that enables SQL injection in this CVE.
SI-2 requires timely remediation of identified flaws, ensuring the SQL injection vulnerability in the Quiz Maker plugins is patched to prevent exploitation.
RA-5 involves periodic vulnerability scanning that would identify the SQL injection flaw in the affected WordPress plugins before exploitation.