Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48867

CVE-2026-48867: Quiz And Survey Master XSS Vulnerability

CVE-2026-48867 is an unauthenticated cross-site scripting flaw in Quiz And Survey Master plugin versions 11.1.2 and earlier that enables attackers to inject malicious scripts. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-48867 Overview

CVE-2026-48867 is an unauthenticated Cross-Site Scripting (XSS) vulnerability affecting the Quiz And Survey Master WordPress plugin in versions 11.1.2 and earlier. The flaw allows remote attackers to inject malicious scripts that execute in the context of a victim's browser when they interact with a crafted resource. Exploitation requires user interaction but no authentication or prior access to the target site. The issue is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation). Successful exploitation can lead to session hijacking, credential theft, redirection to attacker-controlled domains, and unauthorized actions performed in the victim's session.

Critical Impact

An unauthenticated attacker can execute arbitrary JavaScript in a victim's browser, with scope change permitting impact beyond the vulnerable component to other parts of the WordPress site.

Affected Products

  • Quiz And Survey Master plugin (quiz-master-next) for WordPress
  • All versions up to and including 11.1.2
  • WordPress sites with the plugin installed and publicly reachable

Discovery Timeline

  • 2026-06-15 - CVE-2026-48867 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-48867

Vulnerability Analysis

The vulnerability is an unauthenticated stored or reflected Cross-Site Scripting flaw in the Quiz And Survey Master plugin. The plugin fails to properly neutralize user-supplied input before rendering it in HTML output generated for site visitors or administrators. An attacker can craft input containing JavaScript payloads that the plugin echoes back without adequate encoding or sanitization.

Because the attack vector is network-based and requires no privileges, any visitor able to reach a quiz or survey endpoint can submit a payload. User interaction is required, meaning a victim must view the affected page or follow a crafted link for the script to execute. The scope is changed, indicating the injected script can affect resources beyond the immediate plugin context, including site-wide cookies, administrator sessions, and other plugins running on the same origin.

Root Cause

The root cause is insufficient input validation and output encoding within the plugin's request handling and template rendering logic. Input received from quiz or survey submission fields, query parameters, or related endpoints is incorporated into rendered HTML without escaping characters such as <, >, ", and '. This allows arbitrary HTML and JavaScript constructs to break out of the intended data context.

Attack Vector

An attacker constructs a malicious URL or submission targeting an endpoint exposed by the Quiz And Survey Master plugin and embeds a JavaScript payload in a vulnerable parameter. The attacker delivers the link through phishing, social media, or compromised pages. When a victim, including an authenticated administrator, loads the affected page, the injected script executes in their browser under the site's origin. The payload can exfiltrate session cookies, perform CSRF-style actions against the WordPress REST API, modify content, or redirect to attacker infrastructure. Technical details are available in the Patchstack Vulnerability Advisory.

Detection Methods for CVE-2026-48867

Indicators of Compromise

  • Unusual <script>, onerror, onload, or javascript: strings in WordPress request logs targeting quiz or survey endpoints
  • Outbound requests from administrator browsers to unfamiliar domains shortly after viewing plugin-rendered pages
  • New or modified administrator accounts, posts, or plugin settings without a corresponding legitimate session
  • Quiz or survey submissions containing encoded payloads such as %3Cscript%3E or HTML entity sequences

Detection Strategies

  • Inspect web server access logs for query parameters and POST bodies containing HTML or JavaScript tokens directed at quiz-master-next routes
  • Deploy a Web Application Firewall rule set that flags XSS signatures on plugin endpoints under /wp-content/plugins/quiz-master-next/ and related admin-ajax actions
  • Enable Content Security Policy (CSP) reporting to capture violations triggered by inline script execution on plugin pages

Monitoring Recommendations

  • Monitor WordPress audit logs for configuration changes, user role escalations, and option modifications following plugin page access
  • Track browser-side telemetry for administrators including unexpected DOM modifications on /wp-admin/ pages that embed plugin content
  • Alert on plugin version drift and verify that quiz-master-next is patched above version 11.1.2 across all managed WordPress instances

How to Mitigate CVE-2026-48867

Immediate Actions Required

  • Update the Quiz And Survey Master plugin to a version newer than 11.1.2 as soon as the vendor publishes a fixed release
  • Audit administrator accounts and active sessions for signs of compromise, and invalidate all sessions to force re-authentication
  • Restrict access to quiz and survey endpoints behind authentication or IP allowlists where the public-facing functionality is not required

Patch Information

Refer to the Patchstack Vulnerability Advisory for the current patch status and fixed release information. Apply the vendor's patched version through the WordPress plugin updater and verify the installed version after deployment.

Workarounds

  • Deactivate the Quiz And Survey Master plugin until a patched release is installed if quiz functionality is not business-critical
  • Deploy a Web Application Firewall rule that blocks requests containing common XSS payload patterns targeting quiz-master-next paths
  • Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins to limit payload execution
  • Require administrators to access /wp-admin/ only from a separate browser profile to reduce the blast radius of session theft
bash
# Example WordPress CLI commands to check and update the affected plugin
wp plugin get quiz-master-next --field=version
wp plugin update quiz-master-next
wp plugin deactivate quiz-master-next  # temporary workaround if no patch is available

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne