VYPR
← All advisories
High severity7.1NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-48867

CVE-2026-48867

Description

Unauthenticated XSS vulnerability in Quiz And Survey Master plugin for WordPress versions up to 11.1.2 allows attackers to inject malicious scripts, requiring user interaction for exploitation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated XSS vulnerability in Quiz And Survey Master plugin for WordPress versions up to 11.1.2 allows attackers to inject malicious scripts, requiring user interaction for exploitation.

Vulnerability

The Quiz And Survey Master plugin for WordPress (versions <= 11.1.2) contains an unauthenticated Cross-Site Scripting (XSS) vulnerability. The exact input field is not specified, but the vulnerability can be triggered without authentication. [1]

Exploitation

Attackers can initiate the XSS by crafting a malicious link or input. However, successful exploitation requires a privileged user (such as an admin) to perform an action like clicking the link or visiting a crafted page. User interaction is required. [1]

Impact

An attacker can inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute when visitors access the affected site. This can lead to information disclosure, session hijacking, or defacement. [1]

Mitigation

The vulnerability is fixed in version 11.1.3. Users should update to this version or later. If unable to update, apply a mitigation rule from Patchstack. The vulnerability is expected to be exploited in mass campaigns, so immediate action is recommended. [1]

References
  1. Cross Site Scripting (XSS) in WordPress Quiz And Survey Master Plugin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1