CVE-2024-10633 is a vulnerability in the AYS Pro Plugins Quiz Maker for WordPress, affecting Business (up to 8.8.0), Developer (up to 21.8.0), and Agency (up to 31.8.0) versions. The root cause is improper validation of input before invoking the WordPress function do_shortcode, which processes shortcodes embedded in content. Because the plugin does not properly sanitize or neutralize user-supplied input before passing it to do_shortcode, an attacker can inject arbitrary shortcodes. Shortcodes in WordPress can execute PHP code or trigger plugin-specific functionality, so arbitrary shortcode execution can lead to unauthorized actions, including code execution, data manipulation, or denial of service. The vulnerability is exploitable remotely over the network without authentication or user interaction, increasing its risk profile. The CVSS v3.1 score of 7.3 reflects the ease of exploitation and the potential for partial compromise of confidentiality, integrity, and availability. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability's nature makes it a prime target for attackers seeking to compromise WordPress sites using these plugins.

The vulnerability allows unauthenticated remote attackers to execute arbitrary shortcodes, potentially leading to unauthorized code execution, data leakage, content manipulation, or denial of service on affected WordPress sites. This can compromise the confidentiality of sensitive data, integrity of site content and configurations, and availability of the service. Organizations relying on the affected Quiz Maker plugins risk website defacement, data breaches, or full site takeover. Given WordPress's widespread use, exploitation could affect a large number of websites, including those of businesses, educational institutions, and agencies using these plugins for quizzes and assessments. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation if unpatched. The impact extends to reputational damage, regulatory compliance violations, and operational disruptions.

Organizations should immediately identify if they use any affected versions of the AYS Pro Plugins Quiz Maker (Business ≤8.8.0, Developer ≤21.8.0, Agency ≤31.8.0). Since no official patches are currently linked, temporary mitigations include disabling or restricting access to the vulnerable shortcode execution functionality, such as limiting who can submit inputs that trigger do_shortcode or applying web application firewall (WAF) rules to detect and block suspicious shortcode patterns. Administrators should monitor plugin updates from AYS Pro Plugins for official patches and apply them promptly once available. Additionally, implementing strict input validation and sanitization at the application level can reduce risk. Regular security audits and monitoring for unusual shortcode activity or unauthorized changes can help detect exploitation attempts early. Employing the principle of least privilege for WordPress users and plugins can limit the damage if exploitation occurs.