CVE-2024-13456 is a stored cross-site scripting vulnerability identified in the Easy Quiz Maker plugin for WordPress, affecting all versions up to and including 2.0. The root cause is insufficient input sanitization and output escaping of user-supplied attributes within the plugin's 'wqt-question' shortcode. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into quiz content. When other users access pages containing the injected shortcode, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability leverages the common CWE-79 weakness related to improper neutralization of input during web page generation. The CVSS 3.1 base score of 6.4 reflects a medium severity level, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or known exploits are currently available, but the vulnerability's presence in a widely used WordPress plugin makes it a credible threat vector for targeted attacks or automated exploitation once weaponized. The vulnerability emphasizes the importance of strict input validation and output encoding in WordPress plugin development to prevent persistent XSS attacks.

The primary impact of CVE-2024-13456 is the compromise of confidentiality and integrity within affected WordPress sites using the Easy Quiz Maker plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, redirecting users to phishing sites, or performing unauthorized actions under the victim's credentials. While availability is not directly affected, the resulting trust erosion and potential data breaches can cause reputational damage and operational disruptions. Organizations relying on this plugin for educational, training, or quiz-related content risk exposure of sensitive user data and unauthorized privilege escalation. The vulnerability could also be leveraged as a foothold for further attacks within the network if combined with other vulnerabilities or misconfigurations. Given WordPress's widespread use globally, the threat affects a broad range of sectors including education, corporate training, and content management platforms.

To mitigate CVE-2024-13456, organizations should first check for and apply any official patches or updates from the Easy Quiz Maker plugin vendor once released. In the absence of patches, administrators should restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script tags or JavaScript payloads in shortcode attributes can provide interim protection. Site owners should audit existing quiz content for suspicious or unauthorized scripts and remove them. Employing Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script sources. Additionally, plugin developers should review and enhance input validation and output encoding mechanisms, especially for shortcode attributes, to prevent injection vectors. Regular security scanning and monitoring for anomalous behavior related to XSS attacks are recommended to detect exploitation attempts early.