Description
WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the 'total_questions' POST parameter when a user completes a quiz. The code in question accepts the 'total_questions' parameter without escaping the special characters: models/quiz.php $output = str_replace('{{questions}}', $_POST['total_questions'], $output);