Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-6817

CVE-2026-6817: Quiz Maker by AYS WordPress XSS Vulnerability

CVE-2026-6817 is a stored cross-site scripting flaw in the Quiz Maker by AYS WordPress plugin that lets unauthenticated attackers inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-6817 Overview

CVE-2026-6817 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting the Quiz Maker by AYS plugin for WordPress. The flaw exists in all versions up to and including 6.7.1.29. The plugin fails to sanitize input and escape output for the rate_reason parameter, allowing unauthenticated attackers to inject arbitrary JavaScript that executes in the browser of any user viewing an affected page.

Critical Impact

Unauthenticated attackers can persist malicious scripts on WordPress sites running vulnerable versions of Quiz Maker by AYS, leading to session theft, redirection, or administrative account compromise.

Affected Products

  • Quiz Maker by AYS plugin for WordPress
  • All versions up to and including 6.7.1.29
  • WordPress sites with the plugin installed and active

Discovery Timeline

  • 2026-05-02 - CVE-2026-6817 published to NVD
  • 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-6817

Vulnerability Analysis

The vulnerability is a stored XSS issue in the Quiz Maker by AYS plugin. The plugin accepts user-supplied input through the rate_reason parameter without applying sufficient input sanitization or output escaping. Attackers can submit payloads containing HTML or JavaScript that the plugin stores in the WordPress database. When a legitimate user later loads a page rendering this stored content, the browser executes the injected script in the site's origin.

Because the issue is reachable without authentication, attackers can target any WordPress site running a vulnerable version. Exploitation does not require user interaction beyond visiting the affected page. The CWE-79 classification confirms the root issue is improper neutralization of input during web page generation.

Root Cause

The rate_reason parameter handler does not invoke WordPress sanitization functions such as sanitize_text_field() on input or escaping helpers such as esc_html() or esc_attr() on output. This omission lets raw markup persist in the database and reach the rendered DOM unchanged. The patch applied in plugin changeset 3513370 addresses the missing sanitization and escaping on this parameter.

Attack Vector

An attacker submits a crafted request containing a malicious payload in the rate_reason field exposed by the plugin. The payload is stored server-side. When administrators or visitors load a page that renders the rate reason value, the embedded script runs in their session context. Successful exploitation can hijack authenticated sessions, exfiltrate cookies, modify page content, or perform actions on behalf of higher-privileged users.

For technical details, refer to the WordPress Change Log Entry and the Wordfence Vulnerability Report.

Detection Methods for CVE-2026-6817

Indicators of Compromise

  • HTTP requests containing <script>, javascript:, or HTML event handlers in the rate_reason parameter.
  • Quiz rating records in the WordPress database containing markup or encoded script payloads.
  • Unexpected outbound connections from administrator browsers after viewing quiz rating pages.

Detection Strategies

  • Inspect web server access logs for POST requests to Quiz Maker endpoints carrying suspicious characters in rate_reason.
  • Run database queries against plugin tables to identify stored values containing <, >, or on*= event handler patterns.
  • Deploy a Web Application Firewall (WAF) rule to flag XSS payload signatures targeting the plugin's submission endpoints.

Monitoring Recommendations

  • Monitor WordPress administrator sessions for anomalous activity following quiz interactions.
  • Track plugin version inventory across WordPress deployments to identify hosts running versions at or below 6.7.1.29.
  • Alert on Content Security Policy (CSP) violations originating from pages rendered by the Quiz Maker plugin.

How to Mitigate CVE-2026-6817

Immediate Actions Required

  • Update the Quiz Maker by AYS plugin to a version newer than 6.7.1.29 as soon as the vendor publishes a fixed release.
  • Audit existing quiz rating data for stored payloads and purge any records containing script content.
  • Force password resets for WordPress administrator accounts that may have viewed compromised pages.

Patch Information

The upstream fix is published in plugin changeset 3513370. Site operators should apply the patched plugin release through the WordPress plugin updater. Reference the WordPress Change Log Entry to verify the deployed version contains the sanitization fix.

Workarounds

  • Deactivate the Quiz Maker by AYS plugin until a patched version is installed.
  • Deploy a WAF rule that blocks requests containing HTML or JavaScript in the rate_reason parameter.
  • Apply a strict Content Security Policy that prohibits inline script execution on pages rendered by the plugin.
bash
# Example WAF rule (ModSecurity) blocking script payloads in rate_reason
SecRule ARGS:rate_reason "@rx (?i)(<script|javascript:|onerror=|onload=)" \
    "id:1026817,phase:2,deny,status:403,msg:'CVE-2026-6817 XSS attempt in rate_reason'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne