CVE Alert: CVE-2025-11238 – prasunsen – Watu Quiz

Risk verdict

High. Unauthenticated, network‑accessible exploitation via the Save source URL option could store and trigger XSS across pages that render the payload. If KEV is present or EPSS ≥ 0.5, treat as priority 1.

Why this matters

The attacker can execute scripts in visitors’ browsers, risking session data exposure or actions taken on behalf of users. While the direct impact on confidentiality and integrity is limited, the attack undermines trust and can enable credential harvesting or defacement on quiz‑heavy WordPress sites.

Most likely attack path

No user interaction needed. An adversary submits crafted content that the plugin stores; when a user loads a page, the malicious script runs in their browser, with cross‑scope effects and no required privileges, enabling impact beyond the vulnerable component.

Who is most exposed

WordPress sites using the plugin, especially education or quiz‑centric deployments with public access and the Save source URL feature enabled.

Detection ideas

• Unusual script activity on quiz pages or pages rendering stored content
• Payload-like entries appearing in plugin/database content
• Anomalous Referer header data associated with quiz pages
• WAF/IPS alerts for common XSS payloads targeting quiz content

Mitigation and prioritisation

• Patch to the latest plugin version; remove or restrict the Save source URL feature if possible
• Implement WAF/IPS rules and a strict Content Security Policy
• Validate and scrub stored content; migrate or purge suspicious entries
• Plan patching during a maintenance window and test in staging
• If KEV true or EPSS ≥ 0.5, treat as priority 1