CVE-2024-10574: 
WordPress vulnerability analysis and mitigation

The Quiz Maker Business, Developer, and Agency plugins for WordPress contain a vulnerability due to a missing capability check in the 'ays_save_google_credentials' function. This affects versions up to 8.8.0 (Business), 21.8.0 (Developer), and 31.8.0 (Agency). The vulnerability was disclosed on January 26, 2025 (NVD CVE).

The vulnerability stems from a missing authorization check in the 'ays_save_google_credentials' function, which allows unauthenticated attackers to modify Google Sheets integration credentials within the plugin's settings. Additionally, the 'client_id' parameter is not properly sanitized or escaped when used in output, enabling potential arbitrary web script injection that executes when users access affected pages. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (Wordfence).

The vulnerability allows unauthenticated attackers to modify Google Sheets integration credentials and potentially inject malicious web scripts that execute when users access affected pages. This could lead to unauthorized data access and potential cross-site scripting attacks (NVD CVE).

Users should update to versions newer than 8.8.0 (Business), 21.8.0 (Developer), or 31.8.0 (Agency) as applicable. The vulnerability has been fixed in newer releases (Quiz Maker Changelog).