CVE-2026-2384 is a stored cross-site scripting vulnerability classified under CWE-79, found in the ays-pro Quiz Maker plugin for WordPress. This vulnerability affects all versions up to and including 6.7.1.7 and is triggered via the plugin's vc_quizmaker shortcode, which fails to properly sanitize and escape user-supplied input attributes. An authenticated attacker with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into quiz pages. Because the injected scripts are stored persistently, they execute every time a user accesses the infected page, potentially compromising user sessions or enabling further attacks such as phishing or malware distribution. The vulnerability requires the WPBakery Page Builder plugin to be installed and active, as it is dependent on the shortcode functionality provided by WPBakery. The CVSS 3.1 score of 6.4 indicates a medium severity, with network attack vector, low complexity, privileges required, no user interaction, and a scope change due to affecting other users viewing the page. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or public-facing quiz content. The lack of available patches at the time of publication necessitates immediate mitigation efforts to reduce exposure.

The impact of CVE-2026-2384 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows an attacker with contributor-level access to inject malicious scripts that execute in the browsers of any user viewing the compromised quiz pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, defacement of site content, or distribution of malware. The scope of the attack extends beyond the initial attacker due to the stored nature of the XSS, affecting all visitors to the infected pages. For organizations, this can result in reputational damage, loss of user trust, potential regulatory penalties if user data is compromised, and operational disruptions. Since the vulnerability requires authenticated access, the risk is higher in environments with multiple contributors or less stringent access controls. The dependency on WPBakery Page Builder means that sites not using this plugin are not affected, but those that do are at risk. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public.

To mitigate CVE-2026-2384 effectively, organizations should take the following specific actions: 1) Immediately restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input injection. 2) Monitor and audit all content created via the vc_quizmaker shortcode for suspicious scripts or unexpected code. 3) If possible, temporarily disable the Quiz Maker plugin or the WPBakery Page Builder plugin until a security patch is released. 4) Implement a Web Application Firewall (WAF) with custom rules to detect and block attempts to inject or execute malicious scripts through the affected shortcode parameters. 5) Educate content contributors about the risks of injecting untrusted content and enforce strict content review processes. 6) Regularly update WordPress core, plugins, and themes to the latest versions once patches addressing this vulnerability become available. 7) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 8) Conduct penetration testing focusing on XSS vectors in the Quiz Maker plugin to identify any residual or related vulnerabilities. These targeted measures go beyond generic advice by focusing on access control, content monitoring, and layered defenses specific to the vulnerability context.