The plugin does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Within Settings > Qwizcards > Qwizcardsa Option, put the following payload in the Qwizcards-content HTML field v < 3.61 - "> v < 3.62 - " autofocus onfocus=alert(/XSS/)//
CPE | Name | Operator | Version |
---|---|---|---|
qwiz-online-quizzes-and-flashcards | lt | 3.62 |