what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Watu Quiz 3.3.9 / GN Publisher 1.5.5 / Japanized For WooComerce 2.5.4 XSS

WordPress Watu Quiz 3.3.9 / GN Publisher 1.5.5 / Japanized For WooComerce 2.5.4 XSS
Posted Mar 23, 2023
Authored by Marco Wotschka | Site wordfence.com

WordPress plugins Watu Quiz versions 3.3.9 and below, GN Publisher versions 1.5.5 and below, and Japanized For WooCommerce versions 2.5.4 and below suffer from cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2023-0942, CVE-2023-0968, CVE-2023-1080
SHA-256 | aaa6840492b9bd30ed66ef5caa947815162272a3785e8dc84ec1435f67a96153

WordPress Watu Quiz 3.3.9 / GN Publisher 1.5.5 / Japanized For WooComerce 2.5.4 XSS

Change Mirror Download
Description: Reflected Cross-Site Scripting 

Affected Plugin: Watu Quiz

Plugin Slug: watu

Affected Versions: <= 3.3.9

CVE ID: CVE-2023-0968

CVSS Score: 6.1 (Medium)


Researcher/s: Marco Wotschka

Fully Patched Version:

Description: Reflected Cross-Site Scripting

Affected Plugin: GN Publisher: Google News Compatible RSS Feeds

Plugin Slug: gn-publisher

Affected Versions: <= 1.5.5

CVE ID: CVE-2023-1080

CVSS Score: 6.1 (Medium)


Researcher/s: Marco Wotschka

Fully Patched Version: 1.5.6

Description: Reflected Cross-Site Scripting

Affected Plugin: Japanized For WooCommerce

Plugin Slug: woocommerce-for-japan

Affected Versions: <= 2.5.4

CVE ID: CVE-2023-0942

CVSS Score: 6.1 (Medium)


Researcher/s: Marco Wotschka

Fully Patched Version: 2.5.5

Vulnerability Details

Watu Quiz is a plugin that offers site owners the ability to create exams, quizzes and surveys. It allows administrators to review quiz submissions and filter search results by username, email, date taken and quiz score. Unfortunately, the search terms – provided as URL parameters – were not properly sanitized before being echoed on the search form.

Visiting a URL containing a malicious payload sufficed to trigger the execution of malicious JavaScript code in the context of the visiting user’s session. Since the exploitable page was an administrative page, this code could be used to create new administrator users or to perform other similarly severe actions potentially resulting in site takeover.

A vulnerable line of code in the plugin used the user-provided parameter and output it directly:

<input name="dn" type="text" value="<?php echo @$_GET['dn']?>" />

The dn parameter can be used to close out the value attribute, add an onmouseover event (or an onfocus event combined with the autofocus attribute) and execute JavaScript in the context of the victim’s browser.


Versions up to 3.3.9 of this plugin are vulnerable. The issue is fixed in version as of March 3, 2023.

GN Publisher is a plugin that makes RSS feeds which comply with Google News RSS feed technical requirements – necessary for inclusion in the Google News Publisher Center. The plugin addresses some common RSS compatibility issues publishers typically experience.

On its main configuration page It offers a tabbed form where administrators can change plugin-specific settings. However, the plugin does not properly escape the tab name before outputting it.

The software features a button in the top right corner that offers an upgrade to the PRO version. The code for the button in the vulnerable version is shown below (slightly reformatted for legibility):

As can be seen, the button element contains a php echo statement that outputs the tab parameter as a button class attribute. An unauthenticated attacker can take advantage of this and inject attribute-based JavaScript that executes on an event of the attacker’s choosing such as onmouseover, or onfocus in combination with autofocus, assuming they can also successfully trick a site administrator into performing an action.


Versions up to, and including, 1.5.5 are vulnerable. Version 1.5.6 addressed this issue and was released on February 24, 2023.

The plugin Japanized for WooCommerce adds additional features to WooCommerce that make it more user-friendly for a Japanese audience, such as honorific titles and custom payment options geared towards the Japanese market. Similarly to the other two plugins discussed above, Japanized for WooCommerce outputs unsanitized user input provided via URL parameter.

As long as a tab parameter is provided, it will be output as part of the provided JavaScript that follows. A malicious piece of code can be used to close the script tag, open a new one, and include code to be executed on behalf of the visiting user.


Just like the other two vulnerabilities discussed above, this vulnerability can be exploited by unauthenticated attackers as long as an administrator of a vulnerable site can be tricked into performing an action such as clicking on a link leading them to the vulnerable form.

This issue is patched as of version 2.5.6, which was released on February 28, 2023.

As a final reminder, as is typical for Reflected Cross-Site Scripting vulnerabilities, these attacks can be carried out by unauthenticated users. However, the interaction of a site user is a requirement. Furthermore, the malicious injection does not persist as it is not stored in the database.


In today’s post, we detailed flaws in three plugins that made it possible for attackers to inject malicious JavaScript into a vulnerable site. While the exploitation of these vulnerabilities requires some degree of social engineering, they all could be used for site takeover.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you believe your site has been compromised as a result of these vulnerabilities or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using one of these plugins, please share this announcement with them and encourage them to update to the latest version as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.
Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    65 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    23 Files
  • 23
    May 23rd
    15 Files
  • 24
    May 24th
    49 Files
  • 25
    May 25th
    20 Files
  • 26
    May 26th
    13 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    11 Files
  • 30
    May 30th
    46 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By