CVE-2025-67595 – This CSRF vulnerability in the Ays Pro Quiz Mak... (How to Fix)

Q: What is the severity of CVE-2025-67595?

CVE-2025-67595 has a CVSS score of 4.3 (MEDIUM). This CSRF vulnerability in the Ays Pro Quiz Maker WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. It affects WordPress sites running Quiz Maker plugin versions up to and including 6.7.0.82. Attackers could manipulate quiz settings or content through forged requests.

📋 TL;DR

This CSRF vulnerability in the Ays Pro Quiz Maker WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. It affects WordPress sites running Quiz Maker plugin versions up to and including 6.7.0.82. Attackers could manipulate quiz settings or content through forged requests.

💻 Affected Systems

Products:

Ays Pro Quiz Maker (WordPress plugin)

Versions: n/a through <= 6.7.0.82

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin enabled. Requires an authenticated administrator to be tricked into clicking a malicious link.

📦 What is this software?

Quiz Maker by Ays Pro

View all CVEs affecting Quiz Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could completely compromise quiz functionality, modify all quiz content, delete quizzes, or potentially chain with other vulnerabilities for further exploitation.

🟠

Likely Case

Attackers modify quiz settings or content, potentially inserting malicious links or altering quiz behavior to mislead users.

🟢

If Mitigated

With proper CSRF protections, the vulnerability is effectively neutralized as requests would require valid tokens.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks typically require social engineering to trick authenticated users. No public exploit code identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 6.7.0.82

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/quiz-maker/vulnerability/wordpress-quiz-maker-plugin-6-7-0-82-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Quiz Maker' and click 'Update Now'. 4. Verify version is > 6.7.0.82.

🔧 Temporary Workarounds

Implement CSRF Protection Headers

all

Add Content Security Policy headers to help prevent CSRF attacks

Add to .htaccess: Header set X-Frame-Options "SAMEORIGIN"
Add to .htaccess: Header set Content-Security-Policy "frame-ancestors 'self'"

🧯 If You Can't Patch

Disable the Quiz Maker plugin until patched
Implement strict access controls and monitor administrator activity for suspicious quiz modifications

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Quiz Maker version number. If version <= 6.7.0.82, you are vulnerable.

Check Version:

wp plugin list --name=quiz-maker --field=version

Verify Fix Applied:

After updating, confirm version is > 6.7.0.82 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual quiz modification activity from unexpected IP addresses
Multiple failed CSRF token validation attempts

Network Indicators:

HTTP POST requests to quiz-maker admin endpoints without referrer headers
Suspicious iframe or form submissions targeting quiz endpoints

SIEM Query:

source="wordpress.log" AND ("quiz-maker" OR "ays_quiz") AND ("POST" OR "admin-ajax") AND NOT referrer="*wp-admin*"

📊 Metadata

CVE ID: CVE-2025-67595

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-352

EPSS Score: 0.02% exploit probability (3.2th percentile)

Published: December 9, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/quiz-maker/vulnerability/wordpress-quiz-maker-plugin-6-7-0-82-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67595, you might also want to check these: