CVE-2025-12016

The qnotsquiz plugin for WordPress (versions up to and including 1.0.0) contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'qnotsquiz_custom_start_text' parameter. The root cause is insufficient input sanitization and output escaping, allowing attacker-controlled input to be stored and later rendered unsafely in pages [1].

The vulnerability can be exploited by authenticated attackers with administrator-level access. It specifically affects multi-site installations and single-site installations where the 'unfiltered_html' capability has been disabled for administrators. The attacker must have the ability to save plugin settings or create/modify content that uses the vulnerable parameter [1].

If exploited, arbitrary web scripts (JavaScript, HTML, etc.) injected into the parameter will execute in the browsers of any user who visits a page where the stored payload is rendered. This can lead to session hijacking, defacement, or theft of sensitive data. The plugin has been closed on the WordPress plugin directory as of October 22, 2025, due to this security issue [1].

No patched version is available; the plugin is effectively end-of-life. Users running this plugin should immediately remove it from their WordPress installations and replace it with an alternative. Workarounds include restricting administrator access on multisite networks or ensuring the unfiltered_html capability is enabled (though this introduces other risks).