CVE-2026-25324
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Quiz And Survey Master WordPress plugin that allows attackers to bypass authorization by manipulating user-controlled keys. Attackers can exploit incorrectly configured access controls to access or modify quiz/survey data they shouldn't have permission to view. This affects all WordPress sites running vulnerable versions of the plugin.
💻 Affected Systems
- WordPress Quiz And Survey Master plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access, modify, or delete all quiz/survey data, potentially exposing sensitive user responses, manipulating results, or disrupting quiz functionality across the entire site.
Likely Case
Unauthorized access to quiz/survey data belonging to other users, potentially exposing personal information, quiz answers, or survey responses that should remain private.
If Mitigated
Limited impact with proper access controls and monitoring, potentially only affecting non-sensitive data or being detected before significant damage occurs.
🎯 Exploit Status
Exploitation requires some level of access (authenticated user) but the vulnerability itself is simple to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.3.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Quiz And Survey Master'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 10.3.5+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate quiz-master-next
Access Restriction
allRestrict access to quiz/survey pages using web application firewall rules
🧯 If You Can't Patch
- Implement strict access controls and audit all quiz/survey data access
- Monitor application logs for unusual access patterns to quiz/survey endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Quiz And Survey Master version numberCheck Version:
wp plugin get quiz-master-next --field=versionVerify Fix Applied:
Verify plugin version is 10.3.5 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to quiz/survey endpoints
- Multiple failed authorization attempts followed by successful access
- Access to quiz IDs outside user's normal range
Network Indicators:
- Unusual HTTP requests to /wp-content/plugins/quiz-master-next/ endpoints with manipulated parameters
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-content/plugins/quiz-master-next/" OR plugin="quiz-master-next") AND (status=200 OR status=403) | stats count by src_ip, uri_path