Does Chained Quiz have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Chained Quiz compatible with WordPress 6.8.5?

According to WordPress.org data, Chained Quiz 1.3.9 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Chained Quiz compatible with PHP 8.0+?

Chained Quiz requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Chained Quiz updated?

Chained Quiz was last updated on Nov 27, 2025. Frequent updates are generally a positive security signal.

What is Chained Quiz's security score?

Chained Quiz has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Chained Quiz Security & Risk Analysis

wordpress.org/plugins/chained-quiz

Create a quiz where the next question depends on the answer to the previous question. Final quiz results depend on the amount of collected points.

1K active installs v1.3.9 PHP 8.0+ WP 4.0+ Updated Nov 27, 2025

examquestionnairequizsurveytest

A · Safe

CVEs total24

Unpatched0

Last CVESep 17, 2025

Plugin page Download

Safety Verdict

Is Chained Quiz Safe to Use in 2026?

Generally Safe

Score 91/100

Chained Quiz has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

24 known CVEsLast CVE: Sep 17, 2025Updated 5mo ago

Risk Assessment

The Chained Quiz plugin v1.3.9 presents a mixed security posture. While it demonstrates good practices like extensive use of prepared statements for SQL queries (97%) and a significant number of nonce and capability checks, several areas raise concerns. The presence of two AJAX handlers without authentication checks significantly expands the attack surface and creates potential entry points for unauthorized actions. The taint analysis reveals six high-severity flows with unsanitized paths, indicating potential for serious vulnerabilities like injection attacks or SSRF if these flows are exploitable.

The plugin's vulnerability history is a major red flag, with a total of 24 known CVEs, including one critical vulnerability. Although there are currently no unpatched vulnerabilities, the sheer volume and variety of past issues (Authorization Bypass, SSRF, CSRF, XSS, SQL Injection) suggest a recurring pattern of security weaknesses. The last vulnerability being reported in late 2025, while seemingly recent, doesn't negate the historical risk profile. The relatively low percentage of properly escaped output (46%) also contributes to a higher risk of Cross-Site Scripting (XSS) vulnerabilities.

In conclusion, Chained Quiz v1.3.9 has strengths in its SQL handling and security checks, but these are overshadowed by critical concerns regarding unprotected AJAX endpoints, high-severity taint flows, and a history of numerous and serious vulnerabilities. Users should exercise extreme caution and ensure they are on the latest version with all patches applied, though historical data suggests ongoing vigilance is necessary.

Key Concerns

Unprotected AJAX handlers
High severity taint flows
Low proper output escaping percentage
Total known CVEs (24)
Critical severity known CVEs
Common vulnerability types (SSRF, SQLi, XSS, CSRF, Auth Bypass)

Vulnerabilities

24 published

Chained Quiz Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

1 CVE in 2017

2017

1 CVE in 2018

2018

2 CVEs in 2020

2020

1 CVE in 2021

2021

13 CVEs in 2022

2022

1 CVE in 2023

2023

2 CVEs in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

24 total CVEs

CVE-2025-10493medium · 5.3Authorization Bypass Through User-Controlled Key

Chained Quiz <= 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie

Sep 17, 2025 Patched in 1.3.6 (1d)

CVE-2025-24701medium · 5.5Server-Side Request Forgery (SSRF)

Chained Quiz <= 1.3.2.9 - Authenticated (Admin+) Server-Side Request Forgery

Jan 24, 2025 Patched in 1.3.3 (5d)

CVE-2024-37921medium · 5.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2.8 - Missing Authorization

Jul 9, 2024 Patched in 1.3.2.9 (51d)

CVE-2024-37446medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 28, 2024 Patched in 1.3.2.9 (5d)

CVE-2023-25027medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Feb 6, 2023 Patched in 1.3.2.6 (351d)

CVE-2022-4218medium · 5.4Cross-Site Request Forgery (CSRF)

Chained Quiz <= 1.3.2.4 - Cross-Site Request Forgery to Arbitrary Quiz Deletion and Copying

Dec 2, 2022 Patched in 1.3.2.5 (417d)

CVE-2022-4208medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2 - Reflected Cross-Site Scripting via datef

Dec 2, 2022 Patched in 1.3.2.1 (417d)

CVE-2022-4211medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2 - Reflected Cross-Site Scripting via emailf

Dec 2, 2022 Patched in 1.3.2.1 (417d)

CVE-2022-4214medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2.3 - Reflected Cross-Site Scripting via ip

Dec 2, 2022 Patched in 1.3.2.4 (417d)

CVE-2022-4217medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Mailchimp API Key

Dec 2, 2022 Patched in 1.3.2.3 (417d)

CVE-2022-4220medium · 5.4Cross-Site Request Forgery (CSRF)

Chained Quiz <= 1.3.2.4 - Cross-Site Request Forgery to Question Deletion

Dec 2, 2022 Patched in 1.3.2.5 (417d)

CVE-2022-4212medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2 - Reflected Cross-Site Scripting via ipf

Dec 2, 2022 Patched in 1.3.2.1 (417d)

CVE-2022-4215medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2.3 - Reflected Cross-Site Scripting via date

Dec 2, 2022 Patched in 1.3.2.4 (417d)

CVE-2022-4209medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2 - Reflected Cross-Site Scripting via pointsf

Dec 2, 2022 Patched in 1.3.2.1 (417d)

CVE-2022-4216medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Facebook App ID

Dec 2, 2022 Patched in 1.3.2.3 (417d)

CVE-2022-4210medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2 - Reflected Cross-Site Scripting via dnf

Dec 2, 2022 Patched in 1.3.2.1 (417d)

CVE-2022-4219medium · 5.4Cross-Site Request Forgery (CSRF)

Chained Quiz <= 1.3.2.4 - Cross-Site Request Forgery to Submitted Response Deletion

Dec 2, 2022 Patched in 1.3.2.5 (417d)

CVE-2022-4213medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.3.2.2 - Reflected Cross-Site Scripting via dn

Dec 2, 2022 Patched in 1.3.2.3 (417d)

CVE-2021-24690medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz < 1.2.7.2 - Cross-Site Scripting

Sep 7, 2021 Patched in 1.2.7.2 (868d)

WF-b3bae191-9395-481c-93bf-b17cf5f87271-chained-quizmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.1.9 -Stored Cross-Site Scripting

Feb 21, 2020 Patched in 1.1.9.1 (1432d)

CVE-2020-7104medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 1.1.8.1 - Reflected Cross-Site Scripting

Jan 16, 2020 Patched in 1.1.8.2 (1468d)

CVE-2018-14502critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Chained Quiz <= 1.0.8.2 - Unauthenticated SQL Injection

Aug 16, 2018 Patched in 1.0.9 (1986d)

CVE-2016-10892medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz Plugin < 1.0 - Cross-Site Scripting

Jan 12, 2017 Patched in 1.0 (2567d)

WF-76a4dbcd-b3f3-48e9-8175-c701837ac2ae-chained-quizmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chained Quiz <= 0.9.8 - Cross-Site Scripting

Dec 21, 2016 Patched in 0.9.9 (2589d)

Version History

Chained Quiz Release Timeline

v1.3.9Current

v1.3.8

v1.3.7

v1.3.6

v1.3.51 CVE

CVE-2025-10493

v1.3.41 CVE

CVE-2025-10493

v1.3.31 CVE

CVE-2025-10493

v1.3.2.92 CVEs

CVE-2025-10493 CVE-2025-24701

Code Analysis

Analyzed Mar 16, 2026

Chained Quiz Code Analysis

Dangerous Functions

Raw SQL Queries

229 prepared

Unescaped Output

202

169 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

97% prepared236 total queries

Output Escaping

46% escaped371 total outputs

Data Flows · Security

9 unsanitized

Data Flow Analysis

25 flows9 with unsanitized paths

display (controllers\social-sharing.php:32)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Chained Quiz Attack Surface

Entry Points4

Unprotected2

AJAX Handlers 2

authwp_ajax_chainedquiz_ajaxchained-quiz.php:45

noprivwp_ajax_chainedquiz_ajaxchained-quiz.php:46

Shortcodes 2

[chained-quiz] models\basic.php:258

[chained-share] models\basic.php:259

WordPress Hooks 6

actioninitchained-quiz.php:34

actionadmin_menuchained-quiz.php:37

actionadmin_enqueue_scriptschained-quiz.php:38

actionwp_enqueue_scriptschained-quiz.php:41

actiontemplate_redirectmodels\basic.php:267

actionchained_quiz_completedmodels\basic.php:270

Maintenance & Trust

Chained Quiz Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 27, 2025

PHP min version8.0

Downloads117K

Community Trust

Rating98/100

Number of ratings38

Active installs1K

Alternatives

Chained Quiz Alternatives

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

quiz-master-next

Create quizzes, surveys, and tests easily on WordPress with this versatile plugin. Perfect for engaging any audience and gathering valuable insights!

40K 62 CVEs

Watu Quiz

watu

Creates exams, surveys, and quizzes with unlimited number of questions and answers. Mobile/touch - friendly.

3K 17 CVEs

Quiz Maker – Save Progress

quiz-maker-save-progress

A plugin that Saves AYS Quiz Maker Progress

40 No CVEs

Quiz Creator – Easy Quiz, Survey & Test Maker

quiz-creator

100

Create and manage interactive quizzes with multiple question types, automatic scoring, timed quizzes, and email notifications.

30 No CVEs

Watu to MailChimp

watu-bridge-to-mailchimp

A bridge between the Watu Quiz plugin and MailChimp /*** This program is free software: you can redistribute it and/or modify it under the terms of …

10 No CVEs

Developer Profile

Chained Quiz Developer Profile

Bob

10 plugins · 5K total installs

trust score

Avg Security Score

82/100

Avg Patch Time

715 days

View full developer profile

Detection Fingerprints

How We Detect Chained Quiz

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/chained-quiz/css/admin/chained-quiz-admin.css/wp-content/plugins/chained-quiz/css/frontend/chained-quiz.css/wp-content/plugins/chained-quiz/css/frontend/chained-quiz-styles.css/wp-content/plugins/chained-quiz/js/admin/chained-quiz-admin.js/wp-content/plugins/chained-quiz/js/frontend/chained-quiz.js/wp-content/plugins/chained-quiz/js/frontend/chained-quiz-init.js

Script Paths

/wp-content/plugins/chained-quiz/js/admin/chained-quiz-admin.js/wp-content/plugins/chained-quiz/js/frontend/chained-quiz.js/wp-content/plugins/chained-quiz/js/frontend/chained-quiz-init.js

Version Parameters

chained-quiz/css/admin/chained-quiz-admin.css?ver=chained-quiz/css/frontend/chained-quiz.css?ver=chained-quiz/css/frontend/chained-quiz-styles.css?ver=chained-quiz/js/admin/chained-quiz-admin.js?ver=chained-quiz/js/frontend/chained-quiz.js?ver=chained-quiz/js/frontend/chained-quiz-init.js?ver=

HTML / DOM Fingerprints

CSS Classes

chained-quiz-containerchained-quiz-question-titlechained-quiz-answer-choicechained-quiz-result-containerchained-quiz-quiz-listchained-quiz-admin-formchained-quiz-admin-quiz-fieldchained-quiz-admin-question-field+1 more

HTML Comments

Data Attributes

data-quiz-iddata-question-iddata-current-questiondata-next-question

JS Globals

chained_quiz_vars

Shortcode Output

[chained-quiz[/chained-quiz]

FAQ

Chained Quiz Security & Risk Analysis

Is Chained Quiz Safe to Use in 2026?

Generally Safe

Key Concerns

Chained Quiz Security Vulnerabilities

CVEs by Year

Severity Breakdown

Chained Quiz Release Timeline

Chained Quiz Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

Chained Quiz Attack Surface

AJAX Handlers 2

Shortcodes 2

Chained Quiz Maintenance & Trust

Maintenance Signals

Community Trust

Chained Quiz Alternatives

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Watu Quiz

Quiz Maker – Save Progress

Quiz Creator – Easy Quiz, Survey & Test Maker

Watu to MailChimp

Chained Quiz Developer Profile

How We Detect Chained Quiz

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Chained Quiz