.. / CVE-2023-0968

Exploit for WordPress Watu Quiz <3.3.9.1 - Cross-Site Scripting (CVE-2023-0968)

Description:

WordPress Watu Quiz plugin before 3.3.9.1 is susceptible to cross-site scripting. The plugin does not sanitize and escape some parameters, such as email, dn, date, and points, before outputting then back in a page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This exploit can be used against high-privilege users such as admin.

Nuclei Template

View the template here CVE-2023-0968.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-0968.yaml
Copy

References:

https://plugins.trac.wordpress.org/browser/watu/trunk/views/takings.php#L31
https://wordpress.org/plugins/watu/
https://www.wordfence.com/threat-intel/vulnerabilities/id/6341bdcc-c99f-40c3-81c4-ad90ff19f802
https://wpscan.com/vulnerability/29008d1a-62b3-4f40-b5a3-134455b01595
https://nvd.nist.gov/vuln/detail/CVE-2023-0968