CVE-2024-10574 is a vulnerability classified under CWE-862 (Missing Authorization) found in the AYS Pro Plugins Quiz Maker for WordPress, specifically in the Business (up to 8.8.0), Developer (up to 21.8.0), and Agency (up to 31.8.0) versions. The core issue is the absence of a capability check in the 'ays_save_google_credentials' function, which manages Google Sheets integration credentials. This omission allows unauthenticated attackers to modify sensitive plugin settings, potentially redirecting or corrupting data flows linked to Google Sheets. Furthermore, the 'client_id' parameter used in output is not sanitized or escaped, creating an avenue for stored cross-site scripting (XSS) attacks. When an attacker injects malicious scripts via this parameter, these scripts execute in the context of any user accessing the affected pages, risking session hijacking, credential theft, or further exploitation. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.2 (high), reflecting the ease of exploitation and the impact on confidentiality and integrity, though availability is not affected. No patches or known exploits are currently reported, but the vulnerability's presence in widely used WordPress plugins makes it a significant concern for website administrators.

The primary impact of CVE-2024-10574 is unauthorized modification of Google Sheets integration credentials, which can lead to data leakage, manipulation, or disruption of business workflows relying on these integrations. The stored XSS component can compromise user sessions, steal sensitive information, or facilitate further attacks such as privilege escalation or malware deployment. Organizations using affected plugin versions risk exposure of confidential data and loss of data integrity. Since the vulnerability requires no authentication and can be triggered remotely, it broadens the attack surface significantly. This can lead to reputational damage, regulatory compliance issues (especially for organizations handling personal or financial data), and operational disruptions. The absence of availability impact reduces the risk of denial-of-service, but the confidentiality and integrity risks remain substantial. The threat is particularly critical for organizations heavily reliant on WordPress for public-facing websites or internal portals that use the Quiz Maker plugin with Google Sheets integration.

1. Immediate upgrade to the latest patched versions of the AYS Pro Plugins Quiz Maker Business, Developer, and Agency editions once available. 2. If patches are not yet released, restrict access to the WordPress admin area and plugin settings via IP whitelisting or VPN to limit exposure. 3. Implement Web Application Firewall (WAF) rules to detect and block unauthorized attempts to invoke the 'ays_save_google_credentials' function or inject malicious scripts via the 'client_id' parameter. 4. Conduct thorough input validation and output encoding on all parameters related to Google Sheets credentials to prevent XSS exploitation. 5. Regularly audit plugin configurations and Google Sheets integration credentials for unauthorized changes. 6. Monitor web server and application logs for suspicious activity targeting the plugin endpoints. 7. Educate site administrators about the risks and signs of exploitation related to this vulnerability. 8. Consider disabling Google Sheets integration temporarily if it is not critical until a secure patch is applied.