CVE-2026-2384 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ays-pro Quiz Maker plugin for WordPress, affecting all versions up to and including 6.7.1.7. The vulnerability stems from improper neutralization of input during web page generation, specifically within the vc_quizmaker shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or defacement. Exploitation requires the WPBakery Page Builder plugin to be installed and active, as it provides the context for the shortcode's operation. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no availability impact. No public exploits have been reported yet. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content and complex page building features.

The primary impact of CVE-2026-2384 is the potential for attackers with contributor-level access to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement of content, or distribution of malware. Since contributors can create or edit content, the attack surface includes any page or post using the vulnerable shortcode. The confidentiality and integrity of user data and site content are at risk, while availability is not directly affected. Organizations relying on the Quiz Maker plugin for educational or engagement purposes may face reputational damage, loss of user trust, and compliance issues if user data is compromised. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with many contributors or where contributor accounts are not tightly controlled. The dependency on WPBakery Page Builder means that sites not using this plugin are not affected, reducing the overall scope. However, WordPress's widespread use and the popularity of these plugins mean a significant number of sites globally could be vulnerable.

To mitigate CVE-2026-2384, organizations should take the following specific actions: 1) Immediately audit and restrict contributor-level user accounts to only trusted individuals, minimizing the risk of malicious script injection. 2) Monitor content created or edited by contributors for suspicious or unexpected scripts, using automated scanning tools or manual review. 3) Disable or remove the Quiz Maker plugin if it is not essential, or disable the vc_quizmaker shortcode until a patch is available. 4) Ensure WPBakery Page Builder is only active if necessary, as its presence is required for exploitation. 5) Apply any vendor-provided patches or updates as soon as they are released. 6) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 7) Educate content creators about the risks of injecting untrusted code and enforce strict input validation policies. 8) Use Web Application Firewalls (WAFs) with rules targeting XSS payloads in shortcode parameters to detect and block exploitation attempts. These measures collectively reduce the likelihood and impact of exploitation beyond generic advice.