Description
The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-02
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Quiz Maker by AYS plugin for WordPress contains a Stored Cross‑Site Scripting flaw in the rate_reason parameter. Due to inadequate input validation and insufficient output escaping, unauthenticated users can embed arbitrary JavaScript code that will run whenever a page containing the injection is viewed. The vulnerability is a classic injection weakness (CWE‑79) that can lead to session hijacking, defacement, or delivery of malicious payloads to unsuspecting visitors.

Affected Systems

The flaw affects all releases of the Quiz Maker by AYS plugin up to and including version 6.7.1.29. WordPress sites running any of these versions are vulnerable; updating to a later release removes the rate_reason handling that permits unsanitized input.

Risk and Exploitability

With a CVSS score of 5.8, the vulnerability presents moderate risk. Because the enhancer is accessible without authentication, attackers can exploit it remotely by sending a crafted request to the rate_reason field, and the injected script will execute for any user who loads the affected page. The EPSS score is currently unavailable, and the flaw is not listed in CISA’s KEV catalogue, indicating no confirmed widespread exploitation yet, but the lack of authentication makes it relatively easy to abuse.

Generated by OpenCVE AI on May 2, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Quiz Maker by AYS plugin to the latest available release (>=6.7.1.30) where rate_reason input is properly sanitized.
  • If an immediate update is not possible, configure WordPress to strip or escape all content added through rate_reason, using functions such as sanitize_textarea_field or esc_html, before storing or rendering it.
  • Audit existing database entries for any stored rate_reason values and cleanse or delete them to ensure no unsanitized data remains visible to visitors.

Generated by OpenCVE AI on May 2, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T11:16:11.734Z

Reserved: 2026-04-21T19:12:46.602Z

Link: CVE-2026-6817

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T12:16:17.023

Modified: 2026-05-02T12:16:17.023

Link: CVE-2026-6817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:30:27Z

Weaknesses