CVE-2021-24691: 
WordPress vulnerability analysis and mitigation

The Quiz And Survey Master WordPress plugin before version 7.3.2 contains a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24691. The vulnerability was discovered by security researcher Shivam Rai and was publicly disclosed on September 13, 2021. This security issue affects the quiz-master-next plugin, specifically impacting administrators and users with high privileges (WPScan).

The vulnerability stems from improper output escaping of the Quiz Url Slug setting in certain pages. This security flaw allows high-privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79, falling into the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability allows attackers with administrative access to inject malicious JavaScript code through the Quiz Url Slug setting. The injected code gets executed when users edit quizzes or access the Quizzes/Surveys page in the WordPress admin panel (WPScan).

The vulnerability has been patched in version 7.3.2 of the Quiz And Survey Master plugin. Users are advised to update their installations to this version or later to mitigate the security risk (WPScan).