| Plugin Name | Quiz Maker |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2026-2384 |
| Urgency | Medium |
| CVE Publish Date | 2026-02-19 |
| Source URL | CVE-2026-2384 |
Urgent Security Advisory: Authenticated Contributor Stored XSS Vulnerability in Quiz Maker Plugin (<= 6.7.1.7) — Immediate Actions Required for WordPress Site Owners
Executive Summary
- Vulnerability: Stored Cross-Site Scripting (XSS) exploitable by authenticated users with Contributor or higher privileges via plugin shortcode.
- Affected Versions: Quiz Maker plugin versions up to and including 6.7.1.7
- Patch Available: Version 6.7.1.8
- CVE Identifier: CVE-2026-2384
- Privilege Required: Contributor (authenticated)
- Impact: Attackers can inject persistent JavaScript that executes in the browsers of site visitors when plugin shortcodes render, risking cookie theft, session hijacking, phishing, or malware distribution.
- Mitigation: Immediate plugin update to 6.7.1.8 is the only complete remediation. In cases where patching cannot be immediate, apply Web Application Firewall (WAF) virtual patches and other containment measures described below.
At Managed-WP, our security experts are committed to providing clear, actionable intelligence to WordPress site administrators and security professionals. This advisory outlines the threat, exploit mechanism, detection and containment steps, firewall rule recommendations, content remediation, and guidance to minimize risk associated with this critical vulnerability.
Understanding the Risk: What This Means for Your Site
The contributor role in WordPress allows users to submit content but not publish directly. The vulnerable Quiz Maker plugin failed to sanitize or properly escape user-supplied data submitted by contributors, which is subsequently stored in the database and rendered on front-end pages via shortcodes. Because the malicious script is stored, it will activate every time the page is loaded by visitors or administrators viewing affected content.
This type of stored XSS attack poses significant risk: attackers can steal session cookies, hijack user accounts, redirect visitors to malicious websites, or use your site to propagate further attacks. Only an authenticated contributor account is required to exploit this vulnerability, lowering the barrier for attackers who may already have limited access.
Immediate Remediation Checklist for Site Owners
- Update Now: Upgrade Quiz Maker to version 6.7.1.8 immediately. This patch fully resolves the vulnerability.
- If You Cannot Patch Immediately:
- Enable WAF rules blocking XSS payloads targeting plugin endpoints and shortcode inputs.
- Temporarily disable rendering of affected shortcodes on public-facing pages.
- Search your database for suspicious stored scripts or attributes such as
<script>,onerror=,onload=, orjavascript:. - Audit recent content added by contributors for malicious payloads.
- Change administrative credentials if suspicious activity is detected.
- Run a comprehensive malware scan with your security toolset to detect and remove infected content.
- Monitor logs and traffic for anomalies during remediation.
Technical Breakdown: Why the Vulnerability Exists
- Component: The shortcode output handler in Quiz Maker plugin versions <= 6.7.1.7.
- Weakness: Lack of proper sanitization and escaping of contributor-controlled content passed directly into shortcode-generated HTML output.
- Attack Outcome: Authenticated contributors can embed JavaScript, which executes when the shortcode renders on the front end or back-end previews.
- CVSS Version 3.1 Metrics:
- Attack Vector: Network (via HTTP requests)
- Privileges Required: Low (authenticated contributor)
- User Interaction: Required (rendering the shortcode)
- Scope: Changed (potential impact on other users)
- Severity Score: 6.5 (Medium)
Note: The stored nature means the injected code impacts all visitors loading the affected content.
Exploitation Scenarios: Potential Attacker Outcomes
- Injecting scripts that steal authentication cookies or JWTs.
- Logging keystrokes or capturing sensitive admin inputs.
- Injecting misleading HTML content or phishing forms.
- Redirecting visitors to malicious domains or delivering drive-by downloads.
For security reasons, Managed-WP does not publish proof-of-concept exploit code but focuses on empowering defenders to detect, block, and contain threats.
Detection Techniques for Site Administrators
- Search posts, metadata, and plugin-specific tables for suspicious injected code:
Quick search with WP-CLI:
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%' OR post_content LIKE '%onerror=%' OR post_content LIKE '%javascript:%';"SQL search examples (adjust table names accordingly):
SELECT * FROM wp_postmeta WHERE meta_value LIKE '%<script%' OR meta_value LIKE '%onerror=%';
SELECT * FROM wp_posts WHERE post_content LIKE '%[quiz%' AND post_content REGEXP '<script|onerror|onload|javascript:';- Identify posts containing the plugin shortcode and check for embedded scripts:
WP-CLI shortcode finder:
wp post list --format=csv --fields=ID,post_title --post_type=any --post_status=publish,draft,pending | grep -i "\[quiz"Review the identified content for script or event-handler injections.
- Run full malware scans on the site.
- Inspect server and application logs for unusual activity by contributors focused on plugin endpoints.
- Ensure your WAF logs are actively monitored for XSS signature blocks targeting Quiz Maker actions.
Containment Measures Prior to Applying the Full Patch
If immediate patching is not possible, take these emergency steps:
- Temporarily disable the Quiz Maker plugin if feasible.
- Disable quiz shortcode rendering by:
- Removing shortcodes manually from pages/posts, or
- Commenting or conditionalizing code in theme templates that call
do_shortcode('[quiz ...]').
- Restrict contributor role access or place contributor accounts in maintenance status.
- Apply virtual patching via your WAF:
- Block POST or PUT requests to plugin AJAX or admin endpoints originating from contributors implementing script/event payloads.
- Detect and block payloads containing
<script>,onerror=,onload=, orjavascript:in quiz content POST data.
- Use Content Security Policy (CSP) headers to restrict script execution sources, ideally disallowing inline scripts.
Example CSP header (may require fine-tuning):
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.example.com; object-src 'none'; base-uri 'self'; frame-ancestors 'none';Recommended Web Application Firewall (WAF) Rules
The below sample rules illustrate the type of filters you can deploy. Always test thoroughly in staging environments before deploying to production.
ModSecurity example to block script injections on admin AJAX:
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,deny,msg:'Block potential Quiz Maker XSS injection',id:100001,log"
SecRule ARGS|ARGS_NAMES|REQUEST_BODY "(<script|javascript:|onerror=|onload=)" \
"t:lowercase,t:none,deny,status:403"Block POST requests with XSS payloads targeting Quiz Maker endpoints:
SecRule REQUEST_METHOD "POST" "chain,phase:2,log,id:100002,msg:'Block POST XSS payload to Quiz Maker endpoints'"
SecRule REQUEST_URI "@rx (quiz|quiz-maker|quizmaker|qm)_?(create|save|update|ajax)" "t:lowercase,chain"
SecRule REQUEST_BODY "(<script|onerror\s*=|onload\s*=|javascript:)" "t:lowercase,deny,status:403"Response inspection to detect inline scripts after shortcode rendering:
# Note: Response inspection may impact performance; evaluate before deployment
SecRule RESPONSE_HEADERS:Content-Type "text/html" "chain,phase:3,log,id:100003,msg:'Inline script detected in shortcode output'"
SecRule RESPONSE_BODY "(]*>.*?|onerror=|javascript:)" "t:none,ctl:ruleEngine=Off,pass,log"- Start with detection mode to avoid false positives.
- Limit rules to plugin-specific URIs and parameters to reduce collateral blocking.
WordPress Hook Snippets for Quick Mitigation
If you have WordPress development resources, apply the following filter hooks to sanitize inputs contributed by users before they are saved. Test carefully in development/staging environments before applying live.
Sanitize quiz content submitted by contributors:
add_filter('pre_post_content', function($content) {
if ( current_user_can('contributor') && ! current_user_can('unfiltered_html') ) {
// Strip script tags
$content = preg_replace('#<script.*?>.*?</script>#si', '', $content);
// Remove on* event attributes
$content = preg_replace_callback('#<([a-z0-9]+)([^>]*)>#i', function($matches){
$tag = $matches[1];
$attrs = preg_replace('/\s(on[a-z]+\s*=\s*(\'[^\']*\'|"[^"]*"|[^\s>]+))/i', '', $matches[2]);
return "<{$tag}{$attrs}>";
}, $content);
}
return $content;
}, 10, 1);Prevent contributors from creating any shortcodes (quick stopgap):
add_filter('user_has_cap', function($allcaps, $caps, $args){
if ( isset($allcaps['edit_posts']) && current_user_can('contributor') ) {
// Optionally revoke shortcode usage capability or prevent saving plugin content
// Adjust plugin-specific capability filters as required
}
return $allcaps;
}, 10, 3);Ultimately, the full fix requires plugin vendor patching and site update.
Database Audit and Cleanup Procedure
- Backup your site database and files before making any changes.
- Locate where Quiz Maker stores quizzes:
- Likely in
wp_posts.post_contentfor quizzes saved as posts. - Also check
wp_postmetaand any plugin-specific tables (e.g.,wp_qm_quizzes).
- Likely in
- Run search queries to find suspicious script content (modify table prefixes as needed):
-- Search wp_posts for script injections
SELECT ID, post_title, post_status, post_author
FROM wp_posts
WHERE post_content REGEXP '<script|onerror=|onload=|javascript:';
-- Search wp_postmeta for script injections
SELECT post_id, meta_key, meta_value
FROM wp_postmeta
WHERE meta_value REGEXP '<script|onerror=|onload=|javascript:';
-- Search plugin-specific quiz tables
SELECT * FROM wp_qm_quizzes WHERE quiz_content REGEXP '<script|onerror|javascript:';- Export or quarantine suspicious records for manual review.
- Clean affected content by removing script tags and harmful attributes (test before applying):
-- Remove script tags from post_content (example)
UPDATE wp_posts
SET post_content = REGEXP_REPLACE(post_content, '<script[^>]*>.*?</script>', '')
WHERE post_content REGEXP '<script';- Notify affected users if compromise is suspected. Rotate credentials accordingly.
- Perform a follow-up malware scan and monitor WAF logs.
Incident Response Steps Upon Detection of Exploitation
- Apply the official patch (Quiz Maker 6.7.1.8) immediately and enable WAF protections.
- Isolate, sanitize, or remove infected content from the database.
- Rotate all administrative and critical credentials (database, FTP, hosting, API tokens).
- Review access logs for suspicious or unauthorized activities.
- Look for persistence indicators like rogue admin accounts or modified files.
- Restore clean backups if filesystem tampering detected.
- Communicate with stakeholders transparently for compliance and trust.
Security Hardening Best Practices
- Follow Principle of Least Privilege:
- Regularly audit user roles and capabilities.
- Restrict
unfiltered_htmlto trusted roles only.
- Strict Input Validation & Output Escaping:
- Ensure plugins sanitize inputs with functions like
sanitize_text_field()and escape outputs viaesc_html()oresc_attr().
- Ensure plugins sanitize inputs with functions like
- Content Security Policy (CSP):
- Implement CSP headers to reduce risk from inline scripts and restrict sources.
- Shortcode Usage Management:
- Limit shortcode creation and management to trusted roles, ideally admins only.
- Plugin and Theme Maintenance:
- Keep all site software up to date and subscribe to security advisories.
- WAF & Virtual Patching:
- Use managed Web Application Firewalls with ability to apply virtual patches ahead of vendor updates.
- Use Staging and CI Pipelines:
- Test updates and security patches in staging before production deployment.
How Managed-WP Secures Your WordPress Site Against Plugin Vulnerabilities Like This
Managed-WP provides a comprehensive, layered defense tailored for real-world WordPress environments where immediate patching might not be feasible:
- Managed WAF with Virtual Patching: Targeted rules block exploit payloads specific to plugin shortcodes and AJAX endpoints to prevent live exploitation.
- Advanced Malware Scanner: Scans the database and file system for stored XSS payloads and other threats.
- OWASP Top 10 Protections: Tuned baseline defenses mitigate common injection and XSS vectors out-of-the-box.
- Role-Aware Filtering: Customized rules target lower privilege users’ request patterns to block suspicious activity.
- Comprehensive Reporting: Consolidated alerts and logs aid in quick triage and forensic analysis.
If you are already protected by Managed-WP, please ensure your ruleset includes protections covering shortcode and plugin content sanitation checks. If not yet enabled, our free plan provides immediate baseline protections and scanning to reduce risk as you remediate.
Forensic Checklist for Vulnerability Assessment
- Check active Quiz Maker version across your sites using
wp plugin list --format=json. - Verify plugin changelog confirming patch inclusion in 6.7.1.8.
- Search database for stored script tags and suspect event handlers.
- Analyze WAF and access logs for blocking events addressing this vulnerability.
- Review server logs for suspicious POST requests targeting Quiz Maker AJAX endpoints.
- Ensure contributors do not have
unfiltered_htmlcapability. - Audit theme files for unescaped shortcode rendering and remediate accordingly.
Sample Detection Signature for Monitoring Systems
Use the following regex pattern to flag suspicious saved content for manual investigation or automated alerts:
- Regex Pattern:
(?i)(<script\b[^>]*>.*?</script>|on\w+\s*=|javascript:)Testing and Validation Post-Remediation
- Confirm update to version 6.7.1.8 in staging environment.
- Validate plugin functionality and confirm no false positives from WAF rules.
- Re-scan the database and files for residual malicious content.
- Test contributor content submissions to ensure that JavaScript is properly escaped or removed.
- Ensure CSP headers and other security hardening measures do not break legitimate site features.
Getting Started with Managed-WP Protection Plans
While you apply patching and clean-up, consider Managed-WP’s tiered protection offerings:
- Basic (Free): Managed firewall, unlimited bandwidth, WAF, malware scanning, OWASP Top 10 mitigations.
- Standard ($50/year): Adds automatic malware removal and IP blacklisting/whitelisting capability.
- Pro ($299/year): Includes monthly security reports, virtual patching, dedicated account management, and premium services.
Sign up or upgrade at: https://my.wp-firewall.com/buy/wp-firewall-free-plan/
Pragmatic Implementation Guide for Administrators
- Update the Plugin:
- Dashboard navigation: Plugins → Installed Plugins → Update Quiz Maker to 6.7.1.8
- WP-CLI command:
wp plugin update quiz-maker --version=6.7.1.8
- If Immediate Update Is Not Possible:
- Enable maintenance mode briefly and deploy WAF rules in detection mode.
- Use the provided SQL and WP-CLI searches to locate and quarantine suspicious content.
- Harden Contributor Role:
- Remove
unfiltered_htmlcapability from low-privilege users. - Use capability management plugins as needed.
- Enforce multi-factor authentication for administrative users.
- Remove
Final Security Recommendations
- Do Not Delay Updates: The paramount defense is timely patching to 6.7.1.8.
- WAF Is Essential: When immediate patching is not feasible, virtual patching via managed WAF stops exploitation.
- Database Hygiene: Search, quarantine, sanitize suspicious content proactively.
- Reduce Attack Surface: Restrict who can submit HTML and manage shortcodes.
- Multi-layered Defense: Combine plugin management, least-privilege, WAF, CSP, and monitoring.
Managed-WP’s security services are available to guide your remediation efforts, assist with WAF tuning, and perform audits. Take advantage of our free protection plan for immediate baseline defenses during your remediation journey.
Appendix: Quick Commands and SQL Queries for Rapid Assessment
- Check active plugin versions:
wp plugin list --status=active --format=table - Search database for scripts or event handlers:
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content REGEXP '<script|onerror=|onload=|javascript:';" - Backup database before modifications:
wp db export /backups/$(date +%F)-site.sql - Find recently modified files (Unix/Linux):
find /var/www/html -type f -mtime -7 -ls
For personalized support, Managed-WP security engineers are ready to assist with audit, targeted WAF deployment, and database remediation. Remember: patch promptly and use Managed-WP for advanced firewall protection to keep your site secure.
Take Proactive Action — Secure Your Site with Managed-WP
Don’t risk your business or reputation due to overlooked plugin flaws or weak permissions. Managed-WP provides robust Web Application Firewall (WAF) protection, tailored vulnerability response, and hands-on remediation for WordPress security that goes far beyond standard hosting services.
Exclusive Offer for Blog Readers: Access our MWPv1r1 protection plan—industry-grade security starting from just USD20/month.
- Automated virtual patching and advanced role-based traffic filtering
- Personalized onboarding and step-by-step site security checklist
- Real-time monitoring, incident alerts, and priority remediation support
- Actionable best-practice guides for secrets management and role hardening
Get Started Easily — Secure Your Site for USD20/month:
Protect My Site with Managed-WP MWPv1r1 Plan
Why trust Managed-WP?
- Immediate coverage against newly discovered plugin and theme vulnerabilities
- Custom WAF rules and instant virtual patching for high-risk scenarios
- Concierge onboarding, expert remediation, and best-practice advice whenever you need it
Don’t wait for the next security breach. Safeguard your WordPress site and reputation with Managed-WP—the choice for businesses serious about security.
Click here to start your protection today (MWPv1r1 plan, USD20/month).
