LiveActive security incident?Get immediate response
CVE Record

CVE-2016-11085: php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, wi...

php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

A vulnerable WordPress quiz plugin could let an outside attacker trick an administrator into saving malicious script content. That script could persist and run later in the site’s admin context, creating a meaningful account and site-control risk.

Executive priority

Treat this as a high-priority legacy WordPress plugin issue where the plugin is present. Prioritize rapid version verification and upgrade because stored XSS in an admin workflow can become broader site compromise.

Technical view

CVE-2016-11085 affects Quiz Master Next before 4.7.9. The issue is CSRF leading to stored XSS through the question_name parameter in php/qmn_options_questions_tab.php, linked to unsafe parsing behavior in js/admin_question.js inside a SCRIPT element.

Likely exposure

Exposure is limited to WordPress sites running Quiz Master Next, later known as Quiz and Survey Master, before version 4.7.9. Risk is higher where administrators are active and can be socially engineered while authenticated.

Exploitation context

The supplied bundle does not show CISA KEV listing or active exploitation evidence. The public advisory describes unauthenticated attackers abusing CSRF to achieve stored XSS with admin-level impact, but the evidence provided does not include exploit prevalence.

Researcher notes

The CVE record lacks CVSS and CWE details in the supplied bundle. Analysis relies on the CVE description and dxw advisory title/content summary. Confirm exact affected plugin lineage and fixed release details before broad customer notification.

Mitigation direction

  • Upgrade the plugin to version 4.7.9 or later.
  • If version status is uncertain, disable the plugin pending verification.
  • Review vendor guidance for the renamed Quiz and Survey Master plugin.
  • Audit administrator accounts for unexpected changes after suspected exposure.
  • Reduce administrator browsing risk with separate admin-only sessions.

Validation and detection

  • Inventory WordPress sites using Quiz Master Next or Quiz and Survey Master.
  • Confirm installed plugin versions are 4.7.9 or later.
  • Check whether affected quiz question fields contain unexpected script content.
  • Review WordPress admin audit logs for unusual plugin or user changes.
  • Verify no untrusted administrator accounts were added.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2016-11085 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.