How is CVE-2026-40787 exploited?

Network reachability (required): The attacker must reach the WordPress service over the network; no local or physical access is needed. Authentication (not-required): No account or credentials are needed; the attack can be launched by any unauthenticated external user. Victim interaction (required): A victim (typically a logged-in WordPress user or admin) must interact with the attacker's crafted payload, such as viewing a malicious quiz or survey entry. Attack complexity (info): Exploit complexity is low, meaning no race conditions or special environmental factors are required; a working payload can be delivered reliably once the victim interacts.

What is the impact of CVE-2026-40787?

Injects malicious JavaScript into the victim's browser session, allowing the attacker to read session cookies and authentication tokens. Performs actions in the WordPress admin or user interface on behalf of the victim without their knowledge. Exfiltrates form input, credentials, or page content visible to the victim at the time of execution. Partially disrupts page availability or integrity by manipulating rendered content (CVSS A:L indicates limited availability impact).

Back to search

HIGHCVE-2026-40787Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-40787: WordPress Quiz And Survey Master plugin <= 11.0.0 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-40787?

This is a stored or reflected cross-site scripting (XSS) vulnerability in the Quiz And Survey Master WordPress plugin, affecting all versions up to and including 11.0.0. The flaw is reachable over the network by an unauthenticated attacker, meaning no login or account is needed, but a victim must interact with a crafted payload for the attack to complete. Successful exploitation allows the attacker to inject and execute malicious JavaScript in a victim's browser, enabling session hijacking, credential theft, and unauthorized actions performed in the context of the logged-in user. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

Q: Is CVE-2026-40787 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, compensating controls such as network-policy isolation for affected WordPress deployments and web application firewall (WAF) rule coverage for XSS payloads can be configured while waiting for the upstream patch.

Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.0.0 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a stored or reflected cross-site scripting (XSS) vulnerability in the Quiz And Survey Master WordPress plugin, affecting all versions up to and including 11.0.0. The flaw is reachable over the network by an unauthenticated attacker, meaning no login or account is needed, but a victim must interact with a crafted payload for the attack to complete. Successful exploitation allows the attacker to inject and execute malicious JavaScript in a victim's browser, enabling session hijacking, credential theft, and unauthorized actions performed in the context of the logged-in user. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-40787 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle the Quiz And Survey Master plugin.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.1 (HIGH) applied automatically, weighted against each customer organization's compliance policy to determine urgency; findings are routed to the appropriate team inbox based on policy configuration within the customer org.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, compensating controls such as network-policy isolation for affected WordPress deployments and web application firewall (WAF) rule coverage for XSS payloads can be configured while waiting for the upstream patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is needed.
AuthenticationNot required
No account or credentials are needed; the attack can be launched by any unauthenticated external user.
Victim interactionRequired
A victim (typically a logged-in WordPress user or admin) must interact with the attacker's crafted payload, such as viewing a malicious quiz or survey entry.
Attack complexityDetail
Exploit complexity is low, meaning no race conditions or special environmental factors are required; a working payload can be delivered reliably once the victim interacts.

Blast Radius

Injects malicious JavaScript into the victim's browser session, allowing the attacker to read session cookies and authentication tokens.
Performs actions in the WordPress admin or user interface on behalf of the victim without their knowledge.
Exfiltrates form input, credentials, or page content visible to the victim at the time of execution.
Partially disrupts page availability or integrity by manipulating rendered content (CVSS A:L indicates limited availability impact).

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE fires on any customer image that bundles Quiz And Survey Master at or below version 11.0.0, with findings surfaced in the relevant team inbox weighted by compliance policy. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads with no manual intervention required. While waiting for the upstream patch, recommended compensating controls include placing a WAF rule blocking common XSS payloads in front of affected WordPress instances, restricting public access to quiz and survey submission endpoints via network policy, and auditing installed plugin versions across all images in the registry to confirm scope.

See how HarborGuard automates this

Affected packages

ExpressTech / Quiz And Survey Master
≤ 11.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified