CVE-2024-1078: 
WordPress vulnerability analysis and mitigation

The Quiz Maker plugin for WordPress (versions up to and including 6.5.2.4) contains a vulnerability identified as CVE-2024-1078. The vulnerability stems from missing capability checks on the ays_quick_start() and add_question_rows() functions, which allows unauthorized modification of data. This security flaw was discovered and reported by Wordfence, with the initial disclosure occurring on February 7, 2024 (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 4.3 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with low impact on integrity (I:L) and no impact on confidentiality (C:N) or availability (A:N) (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to create arbitrary quizzes within the WordPress installation. This unauthorized access to quiz creation functionality could potentially lead to content manipulation and compromise the integrity of the quiz system (Wordfence).

The vulnerability has been patched in version 6.5.2.5 of the Quiz Maker plugin. Users are advised to update to this version or later to mitigate the security risk (WordPress Patch).