CVE-2025-6174

The Qwizcards | online quizzes and flashcards plugin for WordPress, through version 3.9.4, contains a reflected Cross-Site Scripting (XSS) vulnerability. The plugin fails to sanitize and escape the _stylesheet parameter before outputting it back in the page, allowing an attacker to inject arbitrary JavaScript code [1]. This flaw stems from insufficient input validation on a theme-related parameter.

An attacker can exploit this vulnerability by crafting a malicious URL that includes a payload in the _stylesheet parameter and tricking a high-privilege user, such as an administrator, into clicking it. No authentication on the attacker's part is required beyond the ability to deliver the link. The attack surface is accessible via any page that processes this parameter, making it a straightforward reflected XSS vector [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. Because the vulnerability can target high-privilege users, an attacker could potentially perform actions like creating new admin accounts, modifying plugin settings, or injecting malicious content into the site, effectively compromising the entire WordPress installation [1].

The vulnerability has been fixed in version 3.95 of the plugin. Users are strongly advised to update to the latest version immediately. The issue was publicly disclosed on July 2, 2025, and assigned CVE-2025-6174 with a CVSS v3 base score of 6.1 (Medium severity). No workarounds have been documented beyond applying the patch [1].