CVE-2024-2640: 
WordPress vulnerability analysis and mitigation

The Watu Quiz WordPress plugin before version 3.4.1.2 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-2640. The vulnerability was discovered by Eunho Kim and publicly disclosed on June 21, 2024. The issue affects the plugin's settings functionality, specifically impacting WordPress installations using the Watu Quiz plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while CISA-ADP assessed it with a score of 6.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows users with author-level privileges (if authorized by administrators) to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disabled. This could potentially lead to the execution of malicious JavaScript code in users' browsers when viewing affected quiz content (WPScan).

Users should update their Watu Quiz WordPress plugin to version 3.4.1.2 or later, which contains the fix for this vulnerability. If immediate updating is not possible, administrators should carefully review and restrict access to the plugin's settings functionality (WPScan).