CVE-2018-17140

MEDIUM

Quizlord < 2.0 - Stored Cross-Site Scripting via Title Parameter in ql_insert Action

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-17140. PoCs published by Renos Nikolaou.

AI-analyzed exploit summary This is a proof-of-concept for a stored XSS vulnerability in the WordPress Quizlord plugin version 2.0. The exploit demonstrates how an authenticated user can inject malicious JavaScript via the 'title' parameter, which is then executed when the quiz is viewed.

Description

The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS via the title parameter in a ql_insert action to wp-admin/admin.php.

Exploits (1)

exploitdb WORKING POC
by Renos Nikolaou · textwebappsphp
https://www.exploit-db.com/exploits/45307

This is a proof-of-concept for a stored XSS vulnerability in the WordPress Quizlord plugin version 2.0. The exploit demonstrates how an authenticated user can inject malicious JavaScript via the 'title' parameter, which is then executed when the quiz is viewed.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Quizlord 2.0
Auth required
Prerequisites: Access to WordPress admin panel · Quizlord plugin version 2.0 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45307/

Scores

CVSS v3 5.4
EPSS 0.0066
EPSS Percentile 46.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
vms-studio/quizlord < 2.0
Published Sep 17, 2018
Tracked Since Feb 18, 2026