CVE-2024-27966

The Quiz And Survey Master plugin for WordPress, versions up to and including 8.2.2, suffers from a stored cross-site scripting (XSS) vulnerability [1]. The root cause is an improper neutralization of user input during web page generation, meaning the plugin fails to sanitize or escape certain submitted data before storing it and later displaying it on site pages. This allows an attacker to insert arbitrary JavaScript or HTML payloads into the plugin's database fields.

Exploitation requires a user with at least contributor-level privileges to submit a crafted quiz or survey response containing malicious script code [1]. The payload is then stored in the plugin's database. When any site visitor (including administrators) loads a page that renders the stored data—such as a results page or an admin dashboard view—the injected script executes in the visitor's browser. No additional user interaction beyond visiting the affected page is needed for the script to run.

Successful exploitation enables a malicious actor to perform actions such as redirecting visitors to phishing sites, injecting unwanted advertisements, or stealing session cookies [1]. Because the payload persists and affects all subsequent page loads, this stored XSS can be used for broad attacks against the site's users.

The vulnerability has been addressed in version 8.2.3 of the plugin [1]. All users are strongly advised to update to this latest version immediately. Site administrators who cannot update should contact their hosting provider or web developer for assistance. Patchstack users can enable automatic updates for vulnerable plugins to apply the fix without manual intervention [1].