CVE-2023-6166: 
WordPress vulnerability analysis and mitigation

The Quiz Maker WordPress plugin before version 6.4.9.5 contains a Reflected Cross-Site Scripting vulnerability identified as CVE-2023-6166. The vulnerability was discovered and publicly disclosed on November 30, 2023. The issue affects the Quiz Maker plugin for WordPress and stems from the plugin's failure to properly escape generated URLs before outputting them in attributes (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically of the reflected type, and is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability allows attackers to execute malicious scripts in the context of the affected website. When successfully exploited, it could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser (WPScan).

The vulnerability has been fixed in version 6.4.9.5 of the Quiz Maker plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).