How is CVE-2026-48867 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends crafted requests to the public-facing WordPress installation without needing prior access. Authentication (not-required): No account or credentials of any kind are needed to deliver the malicious payload to the target application. Victim interaction (required): A victim must take an action such as clicking a crafted link or loading a page containing injected content for the JavaScript payload to execute in their browser. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental factors need to align for the attack to succeed.

What is the impact of CVE-2026-48867?

An attacker can execute arbitrary JavaScript in the victim's browser session, reading cookies, session tokens, or other authentication material stored in the browser. Page content visible to the victim can be modified, enabling phishing overlays, fake login forms, or redirection to attacker-controlled sites. The victim's browser can be used to issue authenticated requests to the WordPress site on the attacker's behalf, potentially altering site content or settings the victim has permission to change. The CVSS availability impact token indicates a low disruption to the affected component, meaning the injected script can interfere with the normal rendering or function of the page the victim is viewing.

Back to search

HIGHCVE-2026-48867Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48867: WordPress Quiz And Survey Master plugin <= 11.1.2 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-48867?

This is a stored or reflected cross-site scripting (XSS) vulnerability in the Quiz And Survey Master WordPress plugin, affecting all versions up to and including 11.1.2. The flaw is reachable over the network without any authentication, but requires a victim to interact with crafted content, such as visiting a malicious URL or viewing injected markup. Successful exploitation allows an attacker to execute arbitrary JavaScript in a victim's browser session, potentially reading session data, altering page content, or disrupting the user's experience. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-48867 patched?

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ExpressTech releases a remediated version. In the meantime, customers receive continuous visibility into which images and workloads carry the affected plugin version.

Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a stored or reflected cross-site scripting (XSS) vulnerability in the Quiz And Survey Master WordPress plugin, affecting all versions up to and including 11.1.2. The flaw is reachable over the network without any authentication, but requires a victim to interact with crafted content, such as visiting a malicious URL or viewing injected markup. Successful exploitation allows an attacker to execute arbitrary JavaScript in a victim's browser session, potentially reading session data, altering page content, or disrupting the user's experience. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images and pipeline builds, including custom-built WordPress images that bundle the Quiz And Survey Master plugin. Coverage applies regardless of whether the image originates from a public base or an internally maintained registry.

Available

Triage

HarborGuard scores this finding at CVSS 7.1 (High) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ExpressTech releases a remediated version. In the meantime, customers receive continuous visibility into which images and workloads carry the affected plugin version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends crafted requests to the public-facing WordPress installation without needing prior access.
AuthenticationNot required
No account or credentials of any kind are needed to deliver the malicious payload to the target application.
Victim interactionRequired
A victim must take an action such as clicking a crafted link or loading a page containing injected content for the JavaScript payload to execute in their browser.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental factors need to align for the attack to succeed.

Blast Radius

An attacker can execute arbitrary JavaScript in the victim's browser session, reading cookies, session tokens, or other authentication material stored in the browser.
Page content visible to the victim can be modified, enabling phishing overlays, fake login forms, or redirection to attacker-controlled sites.
The victim's browser can be used to issue authenticated requests to the WordPress site on the attacker's behalf, potentially altering site content or settings the victim has permission to change.
The CVSS availability impact token indicates a low disruption to the affected component, meaning the injected script can interfere with the normal rendering or function of the page the victim is viewing.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this CVE as of the publication date, HarborGuard monitors the Patchstack advisory feed on every ingest cycle and will trigger a patched-image rebuild automatically once ExpressTech publishes a fix for Quiz And Survey Master. Until then, customers can use HarborGuard policy controls to flag any image containing the affected plugin version and route it for manual review before deployment. Compensating controls worth considering include network-policy rules that restrict unauthenticated form submission endpoints, web application firewall rules targeting reflected and stored XSS patterns in plugin input fields, and temporarily disabling the plugin in environments where it is not business-critical. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention the moment a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

ExpressTech / Quiz And Survey Master
≤ 11.1.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified