WWordPress Vulnerability Database

Security Alert XSS in Quiz Maker Plugin(CVE20266817)

Cross Site Scripting (XSS) in WordPress Quiz Maker Plugin
0
Shares
0
0
0
0
Plugin Name WordPress Quiz Maker
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-6817
Urgency Medium
CVE Publish Date 2026-05-06
Source URL CVE-2026-6817

Urgent: Unauthenticated Stored XSS in WordPress Quiz Maker (CVE-2026-6817) — What Site Owners Must Do Now

A practical advisory from a Hong Kong security expert on an unauthenticated stored XSS in the Quiz Maker plugin (≤ 6.7.1.29). What the vulnerability does, real risks, detection and containment steps, patching, and mitigation options.

Executive summary — plain language

  • Vulnerability: Stored XSS in Quiz Maker, tracked as CVE-2026-6817. An attacker can inject JavaScript that is saved and later executed in users’ browsers.
  • Affected versions: Quiz Maker ≤ 6.7.1.29. Patched in 6.7.1.30.
  • Severity: Medium (CVSS ≈ 7.1).
  • Risk: Execution of arbitrary scripts in victims’ browsers — potentially leading to cookie theft, session hijacking, admin account actions, or persistence via backdoors.
  • Immediate action: Update to 6.7.1.30 or later. If immediate update is not possible, isolate or deactivate the plugin and apply targeted mitigations (access restrictions, virtual patches, or WAF rules).
  • Short-term steps: Scan for injected payloads, audit logs, rotate credentials for accounts that may have viewed infected content, and enable stronger admin protections.

What is stored XSS and why it matters

Cross-Site Scripting (XSS) happens when an application includes untrusted input in a web page without proper escaping or sanitisation. Stored (persistent) XSS occurs when the malicious input is saved on the server and later rendered to other users. Stored XSS is often more dangerous than reflected XSS because the injected content persists and can affect many visitors or administrators over time.

In this case, Quiz Maker stores injected content (for example, quiz text or data) that may be rendered later in admin screens or front-end pages. If an attacker manages to store a script that executes in an administrator’s browser, the impact can include account takeover and further compromise.

Vulnerability summary (CVE-2026-6817)

  • Product: Quiz Maker WordPress plugin
  • Versions affected: ≤ 6.7.1.29
  • Patched in: 6.7.1.30
  • Type: Stored Cross‑Site Scripting (XSS)
  • Access: Described as unauthenticated for injection, but successful impact commonly requires a privileged user to view the stored payload.
  • Severity: Medium (CVSS ~7.1)

Treat this as actionable: patch or mitigate promptly.

Why this matters for WordPress sites

Stored XSS can be used to:

  • Steal administrator cookies or session tokens and achieve account takeover.
  • Perform actions as an administrator (create posts, install plugins, add users).
  • Deliver phishing content or redirect users to malicious sites.
  • Create persistence (e.g., inject additional malicious posts, modify options, or upload backdoors).
  • Pivot to other sites on the same host if credentials are reused or accessible.

Even sites with modest traffic are attractive targets because an attacker can inject once and wait for a privileged user to view the content.

Likely exploitation scenarios

  1. An attacker submits a malicious payload via a Quiz Maker endpoint (quiz input, import, or similar). The payload is stored in the database.
  2. Later, an administrator or editor opens a plugin page or preview that renders the stored content. The injected script executes in that user’s browser under the site origin.
  3. The script steals session cookies or makes authenticated requests, creating a new admin user or installing a backdoor.
  4. The attacker gains persistent control, escalates access, or exfiltrates data.

Stored payloads can also target logged-in non-admin users, but the highest-impact outcome requires execution in a privileged account’s context.

Immediate actions you should take (priority ordered)

  1. Update the plugin now. Upgrade Quiz Maker to 6.7.1.30 or later to remove the vulnerable code paths.
  2. If you cannot update immediately:
    • Temporarily deactivate the plugin across affected sites.
    • Block access to plugin admin pages (IP restrictions, additional authentication layers, or host-level ACLs).
    • Apply targeted server-side filters or virtual patches to block exploit payloads and requests to vulnerable endpoints.
  3. Scan for malicious stored content. Search the database for “
  4. Check logs and audit activity. Review access and application logs for suspicious POSTs to plugin endpoints and correlate with admin page loads.
  5. Rotate credentials and harden accounts. Reset passwords for any administrators who viewed affected content, force logout of all sessions, and enable two‑factor authentication for admin accounts.
  6. Clean up and restore. Remove malicious entries from the database where found. If persistent filesystem or configuration changes exist, restore from a known-good backup after thorough inspection.
  7. Monitor closely. Watch logs, file integrity, new user creation, plugin installs, and outbound connections for at least 30 days after an incident.

How to detect if you were exploited

Look for these indicators:

  • Unusual admin logins from unfamiliar IPs or at odd hours.
  • New administrator accounts or unexpected role changes.
  • Unexpected plugin/theme installations or file changes in wp-content.
  • Unexpected outbound traffic or emails triggered by WordPress.
  • Presence of