WP Best Quiz <= 1.0 - Author+ Stored XSS
Description
The WP Best Quiz WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/WP Best Quizdescription
- Range: <=1.0
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping of parameters allows stored Cross-Site Scripting."
Attack vector
An attacker with Author-level privileges can inject arbitrary JavaScript into parameters that the plugin fails to sanitize and escape [ref_id=1]. When other users (including administrators) view the affected page, the injected script executes in their browser session. This is a stored Cross-Site Scripting (XSS) attack [CWE-79].
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the WP Best Quiz plugin through version 1.0, where parameters are not sanitized or escaped before output.
What the fix does
No patch or fix has been published for this vulnerability [ref_id=1]. The advisory recommends that the plugin properly sanitize and escape user-supplied parameters before outputting them, which would prevent the injection of arbitrary HTML and JavaScript.
Preconditions
- authAttacker must have an account with at least Author role on the WordPress site
- configThe WP Best Quiz plugin version 1.0 must be installed and active
Reproduction
The advisory does not include specific reproduction steps beyond noting that users with Author-level privileges can inject XSS via unsanitized parameters [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/b9f39ced-1e0f-4559-b861-39ddcbcd1249/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.