CVE-2024-10633: 
WordPress vulnerability analysis and mitigation

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in versions up to 8.8.0 (Business), 21.8.0 (Developer), and 31.8.0 (Agency). The vulnerability was discovered and disclosed on January 25, 2025. The issue affects multiple versions of the Quiz Maker plugin family and allows unauthenticated attackers to execute arbitrary shortcodes due to improper validation before running do_shortcode (Wordfence).

The vulnerability is classified as CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) with a CVSS v3.1 score of 7.3 (High). The issue stems from the plugin allowing users to execute an action that does not properly validate a value before running do_shortcode, enabling unauthenticated attackers to execute arbitrary shortcodes (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized access to content, information disclosure, and other security implications. The CVSS score of 7.3 indicates high severity with potential impacts on confidentiality, integrity, and availability (Wordfence).

Users are advised to update to version 8.8.1 (Business), 21.8.1 (Developer), or 31.8.1 (Agency) which contains security fixes for this vulnerability. The update was released on January 28, 2025 (Quiz Changelog).