A Cross‑Site Request Forgery flaw in the CyrilG Fyrebox Quizzes "fyrebox-shortcode" allows an attacker to submit a forged request that stores malicious script code in the site database. The injected script can then be rendered by browsers visiting the site, giving the attacker the ability to execute arbitrary JavaScript in the context of site visitors. This vulnerability combines CSRF (CWE‑352) with Stored XSS and can lead to theft of user credentials, defacement, or other actions carried out in the victim’s browser. The effect is not limited to a single user; any visitor who loads the affected page after the script is stored will be impacted.

The Fyrebox Quizzes plugin by CyrilG is affected for all releases through version 3.1. The vulnerability was identified as present in all builds from the earliest available release (no starting version specified) up to and including 3.1. Users running any of these versions are exposed.

The CVSS score of 7.1 indicates a high severity assessment. The EPSS score of less than 1% suggests a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, implying no known exploitation in the wild at the time of analysis. The likely attack vector is through a CSRF attack, meaning the malicious request can be transmitted by tricking an authenticated user into visiting a crafted URL or loading a malicious page. An attacker would need to compromise or spoof a user’s session, but the CSRF nature lowers the barrier to that engagement, making the exploit potentially feasible in many environments.