CVE-2025-14579 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Quiz Maker WordPress plugin before version 6.7.0.89. The root cause is the plugin's failure to properly sanitize and escape certain settings fields, which allows high-privilege users, such as administrators, to inject malicious JavaScript code that is stored persistently within the plugin's data. This vulnerability is notable because it can be exploited even when the WordPress capability 'unfiltered_html' is disabled, a common restriction in multisite WordPress environments to prevent script injection by users. The stored XSS can lead to execution of arbitrary scripts in the context of the affected site, potentially enabling session hijacking, privilege escalation, or redirection to malicious sites. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the high privileges required to exploit it and the persistent nature of the attack. The affected product, Quiz Maker, is widely used in educational and corporate environments for creating quizzes and assessments, making it a valuable target for attackers aiming to compromise user trust or steal sensitive information. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the technical details and impact suggest a high severity. The vulnerability was reserved in December 2025 and published in January 2026, indicating recent discovery. No official patches or updates are linked yet, so users must monitor vendor releases closely. The vulnerability is cataloged under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on the Quiz Maker plugin for educational, training, or assessment purposes. Exploitation could allow attackers with administrative access to inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of legitimate users. In multisite WordPress installations common in large organizations and educational institutions, this vulnerability bypasses typical restrictions on HTML filtering, increasing the risk of persistent XSS attacks. This could undermine user trust, lead to data breaches, and cause reputational damage. Additionally, attackers could leverage this vulnerability to pivot within the network or deploy further malware. The absence of known exploits in the wild currently limits immediate risk, but the presence of a stored XSS in a widely used plugin makes it a high-value target for future attacks. The impact on availability is limited but could occur if attackers use XSS to deface sites or disrupt user interactions. Confidentiality and integrity are the primary concerns due to the potential for data theft and unauthorized actions.

European organizations should prioritize updating the Quiz Maker plugin to version 6.7.0.89 or later as soon as it becomes available, as this version is expected to include proper sanitization and escaping of settings to remediate the vulnerability. Until an official patch is released, administrators should restrict plugin access to only the most trusted users and review existing plugin settings for suspicious or unexpected content. Implementing Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the plugin's endpoints can provide interim protection. Organizations should also audit multisite configurations to ensure that unfiltered_html capabilities are tightly controlled and monitor logs for unusual administrative activity. Regular security training for administrators on safe plugin management and input validation best practices is recommended. Additionally, consider isolating or sandboxing WordPress instances that use Quiz Maker to limit lateral movement if exploitation occurs. Finally, maintain updated backups to enable quick recovery if an attack is successful.