Security readout for executives and security teams
Plain-English summary
A vulnerable WordPress quiz plugin could let an outside attacker trick an administrator into saving malicious script content. That script could persist and run later in the site’s admin context, creating a meaningful account and site-control risk.
Executive priority
Treat this as a high-priority legacy WordPress plugin issue where the plugin is present. Prioritize rapid version verification and upgrade because stored XSS in an admin workflow can become broader site compromise.
Technical view
CVE-2016-11085 affects Quiz Master Next before 4.7.9. The issue is CSRF leading to stored XSS through the question_name parameter in php/qmn_options_questions_tab.php, linked to unsafe parsing behavior in js/admin_question.js inside a SCRIPT element.
Likely exposure
Exposure is limited to WordPress sites running Quiz Master Next, later known as Quiz and Survey Master, before version 4.7.9. Risk is higher where administrators are active and can be socially engineered while authenticated.
Exploitation context
The supplied bundle does not show CISA KEV listing or active exploitation evidence. The public advisory describes unauthenticated attackers abusing CSRF to achieve stored XSS with admin-level impact, but the evidence provided does not include exploit prevalence.
Researcher notes
The CVE record lacks CVSS and CWE details in the supplied bundle. Analysis relies on the CVE description and dxw advisory title/content summary. Confirm exact affected plugin lineage and fixed release details before broad customer notification.
Mitigation direction
- Upgrade the plugin to version 4.7.9 or later.
- If version status is uncertain, disable the plugin pending verification.
- Review vendor guidance for the renamed Quiz and Survey Master plugin.
- Audit administrator accounts for unexpected changes after suspected exposure.
- Reduce administrator browsing risk with separate admin-only sessions.
Validation and detection
- Inventory WordPress sites using Quiz Master Next or Quiz and Survey Master.
- Confirm installed plugin versions are 4.7.9 or later.
- Check whether affected quiz question fields contain unexpected script content.
- Review WordPress admin audit logs for unusual plugin or user changes.
- Verify no untrusted administrator accounts were added.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2016-11085 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
