CSRF and Stored XSS Vulnerability in quiz-master-next Plugin for WordPress

CSRF and Stored XSS Vulnerability in quiz-master-next Plugin for WordPress

CVE-2016-11085 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element.

Learn more about our Wordpress Pen Testing.