Skip to main content

Quiz and Survey Master CVE-2026-9233

| EUVDEUVD-2026-39952 MEDIUM
Missing Authorization (CWE-862)
2026-06-27 Wordfence GHSA-jrf7-2c28-2hc3
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS consequence introduces scope change (S:C) and confidentiality impact (C:L) when admin views injected template, requiring UI:R.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:51 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create, modify, and delete quiz output templates stored in the mlw_quiz_output_templates database table, including storing unsanitized HTML content such as arbitrary script tags.

AnalysisAI

Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor account
Delivery
Send crafted POST to template endpoint
Exploit
Bypass missing authorization check
Execution
Persist script tag in mlw_quiz_output_templates
Persist
Admin views template
Impact
XSS executes in admin session

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with at minimum contributor-level access (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) captures the authorization bypass alone, but likely understates real-world impact by omitting the stored XSS consequence: script injection into admin-viewed templates introduces a confidentiality and scope-change dimension not reflected in C:N/S:U. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers as a contributor on a WordPress site running QSM 11.1.4 with open user registration enabled, then sends a crafted authenticated POST request to the plugin's template management endpoint, bypassing the absent authorization check to save a quiz output template containing a malicious script tag. When an administrator subsequently accesses the quiz template management interface, the stored script executes in their browser session, potentially exfiltrating session cookies or performing actions on their behalf.
Remediation An upstream fix is available as changeset 3570062 in the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3570062%40quiz-master-next&new=3570062%40quiz-master-next); however, the specific patched release version is not independently confirmed from the available data - administrators should update to the latest available version of QSM beyond 11.1.4 via the WordPress plugin dashboard and verify the installed version exceeds the vulnerable range. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy