CVE-2023-3575 is a medium-severity vulnerability identified in the WordPress plugin 'Quiz And Survey Master' prior to version 8.1.11. The issue is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79. It arises because the plugin does not properly sanitize and escape question titles submitted by users with Contributor role or higher. This improper input handling allows an attacker with at least Contributor privileges to inject malicious JavaScript code into question titles. When other users, including administrators or site visitors, view these questions, the malicious script executes in their browsers. The vulnerability requires authenticated access with Contributor-level privileges, which is a relatively low privilege level in WordPress, allowing many registered users to potentially exploit it. The attack vector is remote and requires user interaction (viewing the malicious content). The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. Availability is not directly impacted. The CVSS v3.1 base score is 5.4 (medium), reflecting the moderate impact and exploitation complexity. No known public exploits have been reported in the wild as of the publication date. The vulnerability affects all versions before 8.1.11, and no official patch links were provided in the source information, but upgrading to 8.1.11 or later is implied as the remediation step.

For European organizations using WordPress websites with the Quiz And Survey Master plugin, this vulnerability poses a risk of persistent XSS attacks that can compromise user accounts, including those of site administrators. This can lead to unauthorized access, data leakage, or manipulation of site content. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face compliance risks if user data is exposed or manipulated. Additionally, compromised websites can be used to distribute malware or phishing content, damaging organizational reputation and trust. Since Contributor-level access is sufficient to exploit the vulnerability, insider threats or compromised user accounts can be leveraged by attackers. The impact is heightened for organizations that allow user-generated content or have multiple contributors managing quizzes and surveys. However, the lack of known active exploitation reduces immediate risk, though the vulnerability should be addressed promptly to prevent future attacks.

1. Immediate upgrade of the Quiz And Survey Master plugin to version 8.1.11 or later where the vulnerability is fixed. 2. Restrict Contributor role permissions to trusted users only, and review user roles to minimize unnecessary privileges. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns related to script injection in question titles. 4. Conduct regular security audits and vulnerability scans specifically targeting WordPress plugins and user input sanitization. 5. Educate site administrators and contributors about the risks of XSS and safe content management practices. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 7. Monitor logs for unusual activity or repeated failed attempts to inject scripts. 8. If upgrading immediately is not feasible, temporarily disable quiz or survey creation/editing by Contributor roles until patched. These steps go beyond generic advice by focusing on role management, WAF tuning, and CSP implementation tailored to this plugin's context.