{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2384", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-11T22:29:12.029Z", "datePublished": "2026-02-20T02:23:32.566Z", "dateUpdated": "2026-04-08T17:29:49.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:49.908Z"}, "affected": [{"vendor": "ays-pro", "product": "Quiz Maker", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.7.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.\r\nNote: This vulnerability requires WPBakery Page Builder to be installed and active"}], "title": "Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54e2831-e5e9-43f4-acb6-9cf00fdb4e57?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L60"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-01-31T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-11T22:44:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-19T13:25:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T16:25:01.074662Z", "id": "CVE-2026-2384", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T16:25:38.290Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2384", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T16:25:01.074662Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T16:25:14.092Z"}}], "cna": {"title": "Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ays-pro", "product": "Quiz Maker", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.7.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-31T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-11T22:44:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-19T13:25:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54e2831-e5e9-43f4-acb6-9cf00fdb4e57?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L60"}], "descriptions": [{"lang": "en", "value": "The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.\r\nNote: This vulnerability requires WPBakery Page Builder to be installed and active"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:49.908Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2384", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:49.908Z", "dateReserved": "2026-02-11T22:29:12.029Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-20T02:23:32.566Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.\r\nNote: This vulnerability requires WPBakery Page Builder to be installed and active"}, {"lang": "es", "value": "El plugin Quiz Maker para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'vc_quizmaker' del plugin en todas las versiones hasta la 6.7.1.7, inclusive, debido a una sanitizaci\u00f3n de entrada y escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada.\nNota: Esta vulnerabilidad requiere que WPBakery Page Builder est\u00e9 instalado y activo."}], "id": "CVE-2026-2384", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-20T03:16:01.960", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L13"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L60"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54e2831-e5e9-43f4-acb6-9cf00fdb4e57?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.7.1.7]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Quiz Maker", "source": "cna", "vendor": "ays-pro"}, "product": "quiz_maker", "vendor": "ays-pro"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:07:34.902817+00:00", "value": {"mitigation_remediation": ["Upgrade the Quiz Maker plugin to the latest available release that removes the stored XSS flaw.", "If an upgrade is not immediately possible, remove or disable the vc_quizmaker shortcode from public pages and restrict contributor privileges to only trusted users.", "Apply proper input validation and output escaping for all shortcode attributes, following best practices for preventing CWE\u201179 vulnerabilities, and consider adding strict Content Security Policy headers to mitigate script execution."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Quiz Maker plugin version 6.7.1.7 or earlier, and have WPBakery Page Builder installed and active, are affected. The vendor is ays\u2011pro and any site owner using this plugin should verify their current version and upgrade if necessary.", "description_and_impact": "The Quiz Maker plugin contains a stored cross\u2011site scripting flaw in its vc_quizmaker shortcode for all releases up to and including 6.7.1.7. Insufficient sanitization of user supplied attributes lets an authenticated user with contributor privileges inject arbitrary client\u2011side scripts into pages that use the shortcode. The injected scripts run in the browser context of any visitor to the affected page, creating risks for session hijacking, information theft, defacement, and further exploitation of the site. The weakness is classed as CWE\u201179.", "risk_and_exploitability": "With a CVSS score of 6.4, the issue is considered medium severity. The EPSS score is below 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. Nevertheless, attack requires authenticated contributor or higher access and the presence of WPBakery, which narrows the attack surface but still allows a determined attacker to compromise the victim\u2019s browser sessions and potentially harvest credentials or malicious payloads. The stored nature of the XSS means that the malicious content persists until the site owner removes or sanitizes the affected content."}}}}, "created": "2026-02-20T09:52:50.763049+00:00", "updated": "2026-04-15T18:15:10.830869+00:00", "vendors": ["ays-pro", "ays-pro$PRODUCT$quiz_maker", "wordpress", "wordpress$PRODUCT$wordpress"]}