A high-severity vulnerability exists within the Watu Quiz plugin for WordPress, allowing attackers to inject malicious code into a website. This code can then execute in the web browsers of site administrators and visitors, potentially leading to the theft of sensitive information, account takeovers, or website defacement.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. The plugin improperly handles and stores data from the HTTP Referer header without sufficient sanitization. An attacker can craft a malicious request to a page utilizing the plugin, embedding a malicious script within the Referer header. The vulnerable plugin then saves this unsanitized header data to the database, likely as part of a logging or statistics feature. When an administrator or other user views the page that displays this stored data, the malicious script executes in their browser context.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant business consequences, including the compromise of administrator accounts, theft of user session cookies, and unauthorized access to sensitive website data. This could result in reputational damage, loss of customer trust, and potential data breaches. An attacker could also deface the website or redirect users to malicious sites, further impacting business operations and brand integrity.

Immediate Action:

• Immediately update the Watu Quiz plugin to the latest version available from the official WordPress repository.
• If the plugin is no longer required for business operations, it should be deactivated and uninstalled completely to remove the attack surface.
• Review existing WordPress security settings to ensure they align with best practices.

Proactive Monitoring:

• Monitor web server and application logs for unusual or excessively long Referer headers, particularly those containing script tags (<script>, onerror, etc.).
• Implement a Web Application Firewall (WAF) and monitor its logs for alerts related to Cross-Site Scripting attempts targeting the affected plugin or site.
• Regularly audit the database tables associated with the Watu Quiz plugin for suspicious stored data, such as embedded HTML or JavaScript.

Compensating Controls:

• If immediate patching is not feasible, deploy a WAF with specific rules to filter, sanitize, or block requests containing malicious payloads in the Referer header.
• Implement a strict Content Security Policy (CSP) to restrict the sources from which scripts can be executed, reducing the impact of a successful XSS injection.
• Restrict administrative access to the WordPress dashboard to trusted IP addresses only.

Public Exploit Available: true

Given the High severity rating (CVSS 7.2) and the public availability of exploit code, immediate remediation is strongly recommended. All organizations utilizing the Watu Quiz plugin should prioritize updating to the latest version without delay. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its ease of exploitation makes it a significant risk. A comprehensive review of all installed WordPress plugins should also be conducted to identify and mitigate other potential security weaknesses.