CVE-2024-10628: 
WordPress vulnerability analysis and mitigation

The Quiz Maker Business, Developer, and Agency plugins for WordPress contain an SQL Injection vulnerability (CVE-2024-10628) discovered in January 2025. The vulnerability affects all versions up to 8.8.0 (Business), 21.8.0 (Developer), and 31.8.0 (Agency). The issue stems from insufficient escaping of the 'id' parameter and inadequate SQL query preparation (NVD CVE).

The vulnerability is classified as an SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 7.5 (HIGH). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD CVE).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database (NVD CVE).

Users should upgrade to versions after 8.8.0 (Business), 21.8.0 (Developer), or 31.8.0 (Agency) as indicated in the changelog. The vulnerability has been addressed in version 8.8.1/21.8.1/31.8.1 released on January 28, 2025 (Quiz Changelog).