CVE-2025-6174

MEDIUM EXPLOITED NUCLEI

Qwizcards | online quizzes and flashcards <3.9.4 - XSS

Title source: llm

Description

The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user.

Nuclei Templates (1)

WordPress Qwizcards < 3.95 - Cross-Site Scripting (Reflected)

MEDIUMVERIFIEDby 0x_Akoko

References (1)

[Third Party Advisory] https://wpscan.com/vulnerability/ff827f67-712e-4ab6-b6aa-7f5e6ff1283a/

Scores

CVSS v3 6.1

EPSS 0.0108

EPSS Percentile 77.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2025-11-27

Status published

Products (1)

Unknown/Qwizcards | online quizzes and flashcards < 3.9.4

Published Jul 23, 2025

Tracked Since Feb 18, 2026