CVE-2024-10633 Overview
CVE-2024-10633 affects the Quiz Maker Business, Developer, and Agency plugins for WordPress developed by Ays-Pro. The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes by abusing an action that calls do_shortcode without validating user-supplied input. The flaw is classified under CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code. Affected versions include Business up to and including 8.8.0, Developer up to and including 21.8.0, and Agency up to and including 31.8.0.
Critical Impact
Unauthenticated attackers can execute arbitrary WordPress shortcodes on vulnerable sites, leading to information disclosure, content manipulation, and potential abuse of any installed plugin or theme shortcode.
Affected Products
- Ays-Pro Quiz Maker Business plugin for WordPress (versions up to and including 8.8.0)
- Ays-Pro Quiz Maker Developer plugin for WordPress (versions up to and including 21.8.0)
- Ays-Pro Quiz Maker Agency plugin for WordPress (versions up to and including 31.8.0)
Discovery Timeline
- 2025-01-26 - CVE-2024-10633 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-10633
Vulnerability Analysis
The Quiz Maker plugin family exposes an action handler that forwards user-controlled input into the WordPress do_shortcode function without validation. WordPress shortcodes are server-side macros registered by core, themes, and plugins. Executing them on attacker-supplied input lets the attacker invoke any registered shortcode and supply arbitrary attributes.
Because the vulnerable action is reachable without authentication, anonymous network requests trigger shortcode execution. The realized impact depends on which shortcodes other installed plugins register. Common abuses include leaking gated content, rendering attacker-chosen markup, executing administrative shortcodes, and chaining with shortcodes that expose data or perform privileged actions.
Root Cause
The root cause is missing input validation before invoking do_shortcode. The plugin treats request parameters as trusted shortcode content rather than sanitizing or restricting them to a known allowlist. This pattern is the canonical [CWE-95] failure: dynamically evaluated code is built from untrusted input.
Attack Vector
Exploitation requires only network access to the WordPress site. No authentication, user interaction, or special privileges are needed. An attacker sends a crafted HTTP request to the vulnerable plugin action endpoint with a shortcode payload, and the server renders it. Refer to the Wordfence advisory and the Ays-Pro changelog for vendor-specific details.
// No verified exploit code is published for CVE-2024-10633.
// The vulnerability is triggered by sending an unauthenticated HTTP
// request to a Quiz Maker AJAX action that passes attacker-controlled
// data directly into WordPress do_shortcode().
Detection Methods for CVE-2024-10633
Indicators of Compromise
- Unauthenticated POST or GET requests to admin-ajax.php referencing Quiz Maker actions (for example, action names beginning with ays_ or quiz_maker_) that contain bracketed shortcode syntax in their parameters.
- Web server access logs showing repeated requests with payloads containing [ and ] characters or known shortcode names from installed plugins.
- Unexpected rendering of restricted content, form submissions, or email dispatches triggered by shortcodes that should not be reachable anonymously.
Detection Strategies
- Inventory WordPress installations and identify sites running Quiz Maker Business, Developer, or Agency at or below the vulnerable versions.
- Inspect HTTP request bodies for shortcode markup sent to plugin AJAX endpoints from unauthenticated sessions.
- Correlate web access logs with WordPress audit logs to surface shortcode execution that lacks a corresponding authenticated user session.
Monitoring Recommendations
- Forward web server, WAF, and WordPress audit logs into a centralized analytics platform to detect anomalous calls to Quiz Maker action handlers.
- Alert on unauthenticated requests containing shortcode delimiters targeting admin-ajax.php or REST endpoints registered by Quiz Maker.
- Track outbound activity from the WordPress host for unexpected SMTP, HTTP, or DNS traffic that may follow shortcode abuse.
How to Mitigate CVE-2024-10633
Immediate Actions Required
- Update Quiz Maker Business to a version above 8.8.0, Developer above 21.8.0, and Agency above 31.8.0 as listed in the Ays-Pro changelog.
- If patching is delayed, disable the Quiz Maker plugin until the upgrade is applied.
- Review web logs since the plugin was installed for evidence of shortcode abuse and rotate any credentials or tokens that could have been exposed.
Patch Information
Ays-Pro has released fixed versions for all three editions of the plugin. Administrators should consult the Ays-Pro Quiz Maker product page and the official changelog for the current patched release and apply updates through the WordPress plugin manager or vendor portal.
Workarounds
- Block unauthenticated requests to Quiz Maker AJAX actions at the WAF or reverse proxy layer until the patch is applied.
- Apply a WAF rule that rejects requests to admin-ajax.php with Quiz Maker action names when the body contains shortcode delimiters ([ or ]).
- Restrict access to /wp-admin/admin-ajax.php by IP allowlist where the deployment model permits it.
# Example ModSecurity rule to block shortcode payloads to Quiz Maker actions
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,id:1010633,phase:2,deny,status:403,msg:'CVE-2024-10633 Quiz Maker shortcode payload'"
SecRule ARGS:action "@rx (?i)(ays_|quiz_maker_)" \
"chain"
SecRule ARGS "@rx \[[a-zA-Z0-9_\-]+" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
