Qwizcards - XSS (CVE-2025-6174)

CVE-2025-6174 is a reflected cross-site scripting (XSS) vulnerability in the Qwizcards online quizzes and flashcards WordPress plugin up to version 3.9.4. This flaw arises from improper sanitization of the "_stylesheet" parameter, allowing attackers to inject malicious scripts that could target high-privilege users, including site administrators. Exploitation could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of affected users.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-6174 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-6174 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-6174 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit the Qwizcards plugin by sending requests to /wp-content/plugins/qwiz-online-quizzes-and-flashcards/qwiz_admin_sample_buttons.php with a crafted theme_stylesheet parameter containing malicious JavaScript, resulting in reflected cross-site scripting.