Description
The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Note: This vulnerability requires WPBakery Page Builder to be installed and active
Published: 2026-02-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Quiz Maker plugin contains a stored cross‑site scripting flaw in its vc_quizmaker shortcode for all releases up to and including 6.7.1.7. Insufficient sanitization of user supplied attributes lets an authenticated user with contributor privileges inject arbitrary client‑side scripts into pages that use the shortcode. The injected scripts run in the browser context of any visitor to the affected page, creating risks for session hijacking, information theft, defacement, and further exploitation of the site. The weakness is classed as CWE‑79.

Affected Systems

WordPress sites that use the Quiz Maker plugin version 6.7.1.7 or earlier, and have WPBakery Page Builder installed and active, are affected. The vendor is ays‑pro and any site owner using this plugin should verify their current version and upgrade if necessary.

Risk and Exploitability

With a CVSS score of 6.4, the issue is considered medium severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. Nevertheless, attack requires authenticated contributor or higher access and the presence of WPBakery, which narrows the attack surface but still allows a determined attacker to compromise the victim’s browser sessions and potentially harvest credentials or malicious payloads. The stored nature of the XSS means that the malicious content persists until the site owner removes or sanitizes the affected content.

Generated by OpenCVE AI on April 15, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quiz Maker plugin to the latest available release that removes the stored XSS flaw.
  • If an upgrade is not immediately possible, remove or disable the vc_quizmaker shortcode from public pages and restrict contributor privileges to only trusted users.
  • Apply proper input validation and output escaping for all shortcode attributes, following best practices for preventing CWE‑79 vulnerabilities, and consider adding strict Content Security Policy headers to mitigate script execution.

Generated by OpenCVE AI on April 15, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro quiz Maker
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro quiz Maker
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This vulnerability requires WPBakery Page Builder to be installed and active
Title Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ays-pro Quiz Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:49.908Z

Reserved: 2026-02-11T22:29:12.029Z

Link: CVE-2026-2384

cve-icon Vulnrichment

Updated: 2026-02-20T16:25:14.092Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T03:16:01.960

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses