CVE-2016-11085

MEDIUM

Quiz and Survey Master < 4.7.9 - Cross-Site Request Forgery and Stored Cross-Site Scripting via Question Name Parameter

Title source: llm
STIX 2.1

Description

php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element.

Scores

CVSS v3 6.5
EPSS 0.0102
EPSS Percentile 59.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352 CWE-79
Status published
Products (1)
expresstech/quiz_and_survey_master < 4.7.9
Published Aug 16, 2020
Tracked Since Feb 18, 2026