CVE-2024-22161: 
WordPress vulnerability analysis and mitigation

The HD Quiz WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-22161) affecting versions up to and including 1.8.11. The vulnerability was discovered on January 16, 2024, and allows authenticated attackers with administrator-level permissions to inject malicious web scripts via plugin settings (Wordfence, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 4.8 (Medium) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability specifically affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts that will execute whenever a user accesses an injected page. The impact is limited by the requirement of administrator-level permissions, but could potentially affect user data and website integrity (WPScan).

The vulnerability has been patched in version 1.8.12 of the HD Quiz plugin. Users are advised to update to this version or later to resolve the security issue (Patchstack).