The qnotsquiz plugin for WordPress is vulnerable to stored cross‑site scripting via the qnotsquiz_custom_start_text parameter, resulting from insufficient input sanitization and output escaping. This flaw enables an authenticated administrator to insert arbitrary JavaScript into pages, which will execute whenever any user views the affected page. The resulting compromise can lead to session hijacking, credential theft, phishing, or defacement, affecting the confidentiality, integrity, and availability of the site and potentially other sites in the same WordPress multisite network.

The vulnerability impacts the qnotsquiz WordPress plugin produced by muniyandibg, affecting all released versions up to and including 1.0.0. The flaw is relevant only for multisite installations where WordPress’ unfiltered_html capability is disabled, which is the default configuration for most sites.

The CVSS score of 4.4 indicates low severity, and the EPSS score of less than 1% implies a low likelihood of exploitation at the time of this analysis. The vulnerability is not yet included in CISA’s KEV catalog. Attackers must first obtain administrator‑level access to the WordPress network, then submit a value that contains malicious script through the qnotsquiz_custom_start_text field. Once stored, the script will automatically run inside any user’s browser that loads the affected page, enabling the attacker to execute client‑side attacks. Because the flaw requires admin privileges, the window of opportunity is narrower than a full‑open vulnerability, but it still poses a risk to organizations that rely on unfiltered content feeds from the plugin.