CVE-2024-10679: 
WordPress vulnerability analysis and mitigation

The Quiz and Survey Master (QSM) WordPress plugin before version 9.2.1 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and reported by security researcher Dmitrii Ignatyev (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability could allow attackers with administrative privileges to inject malicious JavaScript code that would be stored on the server and executed in other users' browsers when they access specific pages in the WordPress admin panel. This could lead to potential data theft, session hijacking, or other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been patched in version 9.2.1 of the Quiz and Survey Master plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).