CVE-2025-11806

The Qzzr Shortcode Plugin for WordPress (versions up to 1.0.1) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability originates from insufficient input sanitization and output escaping on the 'quiz' attribute within the 'qzzr' shortcode. This allows attackers to inject arbitrary web scripts that become stored on the server and execute when a user visits the affected page [1].

Exploitation requires authenticated access with contributor-level privileges or higher. The attacker crafts a post or page containing the malicious shortcode, which then appears to any visitor. No additional network access is needed beyond standard WordPress functionality, and the stored script runs in the context of the victim's browser session [1].

Successful exploitation leads to arbitrary script execution in the browser of users accessing the injected page. This can result in session hijacking, defacement, or redirection to malicious sites. The impact is limited by the requirement for an authenticated account with contributor capabilities [1].

The plugin has been closed on the WordPress plugin directory as of October 24, 2025, and is no longer available for download. Users should remove the plugin from their sites immediately, as no patched version exists [1].