CVE-2026-2384

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
6.4MEDIUM
EPSS
0.0%
top 98.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ays-pro Quiz Maker
Timeline
PublishedFeb 20

Description

The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This vulnerability requires WPBakery Page

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages1 packages

CVEListV5ays-pro/quiz_maker6.7.1.7

🔴Vulnerability Details

2
CVEList
Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode2026-02-20
GHSA
GHSA-8823-cww3-2gv3: The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and2026-02-20

🕵️Threat Intelligence

1
Wiz
CVE-2026-2384 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-2384 (MEDIUM CVSS 6.4) | The Quiz Maker plugin for WordPress | cvebase.io