CVE-2016-11085 in quiz-master-next Plugin
Summary
by MITRE
php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2025
The vulnerability identified as CVE-2016-11085 affects the quiz-master-next WordPress plugin, specifically targeting versions prior to 4.7.9. This issue represents a critical security flaw that combines cross-site request forgery (CSRF) with stored cross-site scripting (XSS) capabilities, creating a dangerous attack vector for malicious actors targeting WordPress installations. The vulnerability exists within the php/qmn_options_questions_tab.php file and is exacerbated by improper handling of JavaScript parsing within SCRIPT elements by the js/admin_question.js component.
The technical flaw stems from insufficient input validation and sanitization mechanisms within the plugin's administrative interface. When administrators interact with the question management functionality, the question_name parameter is not properly escaped or validated before being rendered within a SCRIPT element context. This creates an environment where malicious actors can craft specially crafted requests that bypass CSRF protection mechanisms and inject malicious JavaScript code into the database. The stored XSS occurs because the vulnerable parameter is persisted in the database and subsequently executed whenever the affected page is loaded, making it particularly dangerous as the malicious payload can affect multiple users.
The operational impact of this vulnerability extends beyond simple data theft or defacement. Attackers can leverage this flaw to execute arbitrary JavaScript code within the context of administrators' browsers, potentially leading to complete compromise of the WordPress installation. The combination of CSRF and stored XSS allows attackers to perform actions such as modifying quiz content, stealing administrator session cookies, redirecting users to malicious sites, or even installing backdoors. This vulnerability affects not only the immediate plugin functionality but also poses risks to the broader WordPress ecosystem, as administrators may inadvertently execute malicious code while managing quiz questions.
Security practitioners should implement immediate mitigations including upgrading to version 4.7.9 or later of the quiz-master-next plugin, which addresses the CSRF and XSS vulnerabilities through proper input sanitization and CSRF token validation. Additionally, organizations should review their WordPress plugin management processes to ensure timely updates and consider implementing web application firewalls that can detect and block malicious JavaScript injection attempts. The vulnerability aligns with CWE-352 (Cross-Site Request Forgery) and CWE-79 (Cross-Site Scripting) categories, and represents a significant concern for ATT&CK technique T1059.007 (Scripting) and T1566 (Phishing with Social Engineering). Organizations should also conduct thorough security audits of their WordPress installations to identify other potential vulnerabilities in plugin code that may be susceptible to similar flaws, particularly in areas where user input is processed and rendered within JavaScript contexts.