Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher role via &wpt_test_page_submit_button_caption parameter.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of April 26, 2022 and is not available for download. This closure is temporary, pending a full review.

![](https://secure.gravatar.com/avatar/4b86265be07d2b470a76420fa237b899?s=60&d=retro&r=g)

There is no better plugin than this for this domain.

![](https://secure.gravatar.com/avatar/3652ada8e3ab4497e4960f6d344929e0?s=60&d=retro&r=g)

The plug-in is very good, but there are some incompatibilities. such as Incompatible with the theme's label cloud, resulting in no color display. This is a very powerful WP plug-in I've seen. If the page of submitting results can be displayed, for example; Gender, age, test time and date, that's more perfect

![](https://secure.gravatar.com/avatar/f99995e094d67b5ceeff6b661cc04a5d?s=60&d=retro&r=g)

It works excellent, I would add the possibility of doing mathematical calculations not as conditionals but to obtain numerical results, to do tests that require simple calculations such as: Quality\_of\_life = (anxiety + depression + work) / 2 Then: If: quality\_of\_life> = 5 then: Quality of life: Good

![](https://secure.gravatar.com/avatar/4a8793793a78b222ddaaa69822b40515?s=60&d=retro&r=g)

This is a great plugin I have seen ever, But if getting more updates will be more fantastic

![](https://secure.gravatar.com/avatar/365c3a86e210d343807a9941e85defee?s=60&d=retro&r=g)

I have used this plugin now for several different tests/quizzes - some simple ones and one very complex one with a lot of customization. Works like a dream!

![](https://secure.gravatar.com/avatar/45cb0397d670d0b3fe240cf48b508b2f?s=60&d=retro&r=g)

Does a fantastic job of a complex situation. Is a bit tricky to setup, but allows a number of ways to configure tests/assessments and matched our need very well.

Read all 103 reviews

“Psychological tests & quizzes” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2022-27854: Psychological tests & quizzes

Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.

CVE-2021-36895: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

WordPress Coru LFMember plugin version 1.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Coru LFMember - Stored Cross SiteScripting# Date: 26-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/# Version: 1.0.2# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:```<td class="manage-column"><input type="text" value="<?php print$result['game_image'] ?>" name="game_image[]" /></td><td class="manage-column"><?php printstripslashes($result['game_name_short']) ?></td><td class="manage-column"><input type="text" value="<?php printstripslashes($result['game_name_long']) ?>" name="game_name_long[]" /></td><td class="manage-column"><textarea name="game_description[]" rows="4"cols="10"><?php print stripslashes($result['game_description'])?></textarea></td><td class="manage-column"><input type="text" value="<?php print$result['game_link'] ?>" name="game_link[]" /></td>```# POC1. Install the Coru LFMember WordPress plugin and activate it.2. Go to LFMember -> Add New and inject XSS payload “><img src=xonerror=alert(1)> in the fields given i.e, Game Image Name, Game ShortName, Game Long Name, Game Description, and Links to.3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/kZDtIVz

WordPress Coru LFMember 1.0.2 Cross Site Scripting

WordPress WP-Invoice plugin version 4.3.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin  WP-Invoice - Stored Cross Site Scripting# Date: 25-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/# Version: 4.3.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:``` wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';``# POC1.  Install the WP-Invoice WordPress plugin and activate it.2. Go to WP-Invoice settings  and inside the Business Name field inject XSSpayload “><img src=x onerror=alert(1)>3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/rsHIEO9

WordPress WP-Invoice 4.3.1 Cross Site Scripting

Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings.

CVE-2022-29417: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

The myCred WordPress plugin before 2.4.4 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.

CVE-2022-0363

The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website

CVE-2022-0398

The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog

CVE-2022-0287

The myCred WordPress plugin before 2.4.4 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog

CVE-2022-1092

The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.

Tag

#wordpress