CVE-2023-5956: 
WordPress vulnerability analysis and mitigation

The Wp-Adv-Quiz WordPress plugin through version 1.0.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Bob Matyas and was publicly disclosed on January 3, 2024. The issue affects the plugin's settings functionality, specifically impacting installations where high-privilege users such as administrators can perform stored XSS attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups (WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue stems from inadequate sanitization and escaping of certain plugin settings, particularly in the quiz title field (NVD).

When exploited, this vulnerability allows authenticated administrators to store and execute malicious JavaScript code through the quiz title field. This could potentially lead to client-side attacks against other users who access the quiz overview page, even in environments where unfiltered HTML is typically restricted (WPScan).

As of the current reporting, there is no known fix available for this vulnerability. Users of the Wp-Adv-Quiz plugin should consider implementing additional access controls or exploring alternative quiz plugins until a security patch is released (WPScan).