Attack Vectors
The vulnerability affects the Quiz Maker WordPress plugin (slug: quiz-maker) in versions up to and including 6.7.1.7. It is a Medium-severity issue (CVSS 6.4, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) identified as CVE-2026-2384.
An attacker must already have an authenticated WordPress account with at least Contributor access (or higher). Using that access, they can inject malicious script content via the plugin’s vc_quizmaker shortcode attributes. Because this is a stored issue, the injected content can run later when others view the affected page.
Important operational detail: this vulnerability requires WPBakery Page Builder to be installed and active. If your site uses WPBakery with Quiz Maker, this increases the likelihood of exposure if contributor-level users can create or edit content that includes the shortcode.
Security Weakness
The root weakness is insufficient input sanitization and output escaping for user-supplied shortcode attributes in Quiz Maker’s vc_quizmaker shortcode. In business terms, the plugin does not consistently treat user-provided content as untrusted before storing and displaying it.
This creates a Stored Cross-Site Scripting (XSS) risk: malicious scripts can be saved into site content and executed in visitors’ browsers when they access the affected page. Even though it requires authentication, many organizations grant contributor access broadly across marketing, agencies, and contractors—making it a practical risk in real-world workflows.
Technical or Business Impacts
For leadership and compliance stakeholders, the primary concern is that stored script injection can be used to undermine trust and integrity of your web presence. This may enable actions such as manipulating on-page content, interfering with user interactions, or capturing sensitive information submitted through the browser in certain scenarios.
Potential business impacts include brand damage (defaced or misleading pages), marketing performance disruption (altered landing pages, broken attribution, unauthorized redirects), and privacy/compliance exposure if user data is mishandled through injected scripts. Because the CVSS scope is “changed,” the effects can extend beyond a single page’s content and influence how users experience your site overall.
Remediation: Update Quiz Maker to 6.7.1.8 or newer (patched) as recommended by the published advisory. Also review who has Contributor (or higher) access, especially third-party agencies, and validate that WPBakery content editing workflows are appropriately restricted for business-critical pages.
Similar Attacks
Stored XSS in widely used web platforms has repeatedly been leveraged to affect real organizations, often starting from a lower-privileged account and escalating impact through compromised pages viewed by employees or customers. Examples include:
WordPress Core – CVE-2019-8942 (stored XSS/vector related to media handling)
WordPress – CVE-2018-6389 (high-profile WordPress-related vulnerability tracked publicly)
Wordfence advisory source for Quiz Maker issue (reference for affected versions and fix)
Recent Comments