WP-Safety

Watu Quiz Security & Risk Analysis

wordpress.org/plugins/watu

Creates exams, surveys, and quizzes with unlimited number of questions and answers. Mobile/touch - friendly.

3K active installs v3.4.6 PHP 8.0+ WP 5.0+ Updated Mar 12, 2026
exammobilequizsurveytest
88
A · Safe
CVEs total17
Unpatched0
Last CVEDec 17, 2025
Plugin page Download
Safety Verdict

Is Watu Quiz Safe to Use in 2026?

Generally Safe

Score 88/100

Watu Quiz has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

17 known CVEsLast CVE: Dec 17, 2025Updated 2mo ago
Risk Assessment

The "watu" plugin v3.4.6 presents a mixed security posture. While it demonstrates good practices in SQL query handling and includes a substantial number of nonce and capability checks, several concerning aspects warrant attention. The static analysis reveals a significant attack surface, with 5 out of 11 entry points lacking authentication checks. This is further compounded by the presence of four 'unserialize' calls, a known dangerous function, and taint analysis indicating two high-severity flows with unsanitized paths. The plugin's vulnerability history is also a significant concern, with 17 known CVEs, including 4 high-severity ones, and common vulnerability types such as missing authorization and cross-site scripting. The fact that the last reported vulnerability was in late 2025 (though this seems like a typo and likely refers to a past date) might suggest recent updates, but the historical pattern of multiple vulnerabilities, particularly those related to authorization and input sanitization, points to a recurring need for stringent security development and auditing processes.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Dangerous unserialize function usage
  • High number of high severity historical CVEs
  • Outputs with partial proper escaping
  • Common vulnerability types: Missing Auth & XSS
Vulnerabilities
17 published

Watu Quiz Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
1 CVE in 2015
2015
1 CVE in 2019
2019
5 CVEs in 2023
2023
4 CVEs in 2024
2024
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
4
Medium
13

17 total CVEs

CVE-2025-68587medium · 4.3Missing Authorization

Watu Quiz <= 3.4.5 - Missing Authorization

Dec 17, 2025 Patched in 3.4.5.1 (21d)
CVE-2025-67976medium · 4.3Missing Authorization

Watu Quiz <= 3.4.5 - Missing Authorization

Dec 15, 2025 Patched in 3.4.5.1 (6d)
CVE-2025-11238high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.4.4 - Unauthenticated Stored Cross-Site Scripting via HTTP Referer

Oct 24, 2025 Patched in 3.4.5 (1d)
CVE-2025-46242medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Watu Quiz <= 3.4.3 - Authenticated (Administrator+) SQL Injection

Apr 22, 2025 Patched in 3.4.4 (9d)
CVE-2025-30844medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.4.2 - Reflected Cross-Site Scripting

Apr 1, 2025 Patched in 3.4.3 (9d)
CVE-2024-53792medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Watu Quiz <= 3.4.1.2 - Authenticated (Contributor+) SQL Injection

Nov 29, 2024 Patched in 3.4.1.3 (7d)
CVE-2024-2640medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.4.1.1 - Authenticated (Author+) Stored Cross-Site Scripting

Jun 21, 2024 Patched in 3.4.1.2 (50d)
CVE-2024-0872medium · 4.3Authorization Bypass Through User-Controlled Key

Watu Quiz <= 3.4.1 - Sensitive Information Disclosure

Apr 4, 2024 Patched in 3.4.1.1 (6d)
CVE-2024-0873medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 4, 2024 Patched in 3.4.1.1 (58d)
CVE-2023-30483medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.3.9.2 - Reflected Cross-Site Scripting via 'question'

Apr 13, 2023 Patched in 3.3.9.3 (285d)
CVE-2023-0968medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.3.9 - Reflected Cross-Site Scripting

Mar 3, 2023 Patched in 3.3.9.1 (326d)
CVE-2023-25022medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.3.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Feb 3, 2023 Patched in 3.3.8.1 (354d)
CVE-2023-0428medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.3.8.1 - Reflected Cross-Site Scripting

Jan 24, 2023 Patched in 3.3.8.2 (364d)
CVE-2023-0429medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 3.3.8.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 24, 2023 Patched in 3.3.8.3 (364d)
WF-aed2ec57-2475-4e77-8219-399cf769ba5a-watuhigh · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz 3.1.2.1 - 3.1.2.5 - Reflected Cross-Site Scripting

Jun 28, 2019 Patched in 3.1.2.6 (1670d)
CVE-2015-10111high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Watu Quiz <= 2.6.7 - Authenticated (Admin+) SQL Injection

Nov 20, 2015 Patched in 2.6.8 (2986d)
WF-efdf76b2-7640-4384-a72b-789159eb9c86-watuhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Watu Quiz <= 2.5.0.1 - Stored Cross-Site Scripting

Nov 16, 2014 Patched in 2.5.0.2 (3355d)
Version History

Watu Quiz Release Timeline

v3.4.6Current
v3.4.5.3
v3.4.5.2
v3.4.5.1
v3.4.52 CVEs
CVE-2025-68587 CVE-2025-67976
v3.4.43 CVEs
CVE-2025-11238 CVE-2025-68587 CVE-2025-67976
v3.4.34 CVEs
CVE-2025-11238 CVE-2025-68587 CVE-2025-46242 +1 more
v3.4.25 CVEs
CVE-2025-11238 CVE-2025-68587 CVE-2025-46242 +2 more
Code Analysis
Analyzed Mar 16, 2026

Watu Quiz Code Analysis

Dangerous Functions
4
Raw SQL Queries
20
208 prepared
Unescaped Output
187
186 escaped
Nonce Checks
17
Capability Checks
12
File Operations
2
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$advanced_settings = unserialize(stripslashes($dquiz->advanced_settings));controllers\exam.php:210
unserialize$advanced_settings = unserialize(stripslashes($quiz->advanced_settings));controllers\grades.php:44
unserialize$advanced_settings = unserialize(stripslashes($exam->advanced_settings ?? ''));controllers\show_exam.php:41
unserialize$advanced_settings = unserialize(stripslashes($exam->advanced_settings));controllers\takings.php:355

SQL Query Safety

91% prepared228 total queries

Output Escaping

50% escaped373 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

22 flows4 with unsanitized paths
display (controllers\social-sharing.php:34)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Watu Quiz Attack Surface

Entry Points11
Unprotected5

AJAX Handlers 5

authwp_ajax_watu_submitwatu.php:460
noprivwp_ajax_watu_submitwatu.php:461
authwp_ajax_watu_taking_detailswatu.php:462
authwp_ajax_watu_ratedwatu.php:463
authwp_ajax_watu_reorder_questionswatu.php:464

Shortcodes 6

[WATU] watu.php:57
[watu] watu.php:58
[watushare-buttons] watu.php:59
[watu-basic-chart] watu.php:60
[watu-takings] watu.php:61
[watu-userinfo] watu.php:62
WordPress Hooks 16
actionwp_enqueue_scriptswatu.php:53
actionadmin_enqueue_scriptswatu.php:54
actionwp_enqueue_scriptswatu.php:55
filterwatu_contentwatu.php:91
filterwatu_contentwatu.php:93
filterwatu_contentwatu.php:94
filterwatu_contentwatu.php:95
filterwatu_contentwatu.php:99
filterwatu_contentwatu.php:101
actionwatu_exam_submitted_detailedwatu.php:103
actionadmin_noticeswatu.php:108
actionadmin_menuwatu.php:119
actionwatu_examwatu.php:120
actionactivate_watu/watu.phpwatu.php:178
actioninitwatu.php:459
filterwp_privacy_personal_data_eraserswatu.php:467
Maintenance & Trust

Watu Quiz Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version8.0
Downloads418K

Community Trust

Rating94/100
Number of ratings135
Active installs3K
Alternatives

Watu Quiz Alternatives

WpCues Basic Quiz

WpCues Basic Quiz

wpcues-basic-quiz

A
100

Create math / html / multimedia rich quiz. Award Mozilla Open Badges, Create colorful charts / leader boards and sell your quizzes using stripe.

10 No CVEs
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

quiz-master-next

B
76

Create quizzes, surveys, and tests easily on WordPress with this versatile plugin. Perfect for engaging any audience and gathering valuable insights!

40K 62 CVEs
Chained Quiz

Chained Quiz

chained-quiz

A
91

Create a quiz where the next question depends on the answer to the previous question. Final quiz results depend on the amount of collected points.

1K 24 CVEs
Quiz Creator – Easy Quiz, Survey & Test Maker

Quiz Creator – Easy Quiz, Survey & Test Maker

quiz-creator

A
100

Create and manage interactive quizzes with multiple question types, automatic scoring, timed quizzes, and email notifications.

30 No CVEs
Watu to MailChimp

Watu to MailChimp

watu-bridge-to-mailchimp

A
85

A bridge between the Watu Quiz plugin and MailChimp /*** This program is free software: you can redistribute it and/or modify it under the terms of &hellip;

10 No CVEs
Developer Profile

Watu Quiz Developer Profile

Bob

10 plugins · 5K total installs

66
trust score
Avg Security Score
82/100
Avg Patch Time
715 days
View full developer profile
Detection Fingerprints

How We Detect Watu Quiz

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/watu/css/exam-list.css/wp-content/plugins/watu/css/jquery-ui.css/wp-content/plugins/watu/css/style.css/wp-content/plugins/watu/js/watu.js/wp-content/plugins/watu/js/jquery-ui.js/wp-content/plugins/watu/js/raphael-min.js/wp-content/plugins/watu/js/chart.js/wp-content/plugins/watu/js/social-sharing.js+4 more
Script Paths
/wp-content/plugins/watu/js/watu.js/wp-content/plugins/watu/js/jquery-ui.js/wp-content/plugins/watu/js/raphael-min.js/wp-content/plugins/watu/js/chart.js/wp-content/plugins/watu/js/social-sharing.js/wp-content/plugins/watu/js/watu-admin.js+3 more
Version Parameters
/wp-content/plugins/watu/css/exam-list.css?ver=/wp-content/plugins/watu/css/jquery-ui.css?ver=/wp-content/plugins/watu/css/style.css?ver=/wp-content/plugins/watu/js/watu.js?ver=/wp-content/plugins/watu/js/jquery-ui.js?ver=/wp-content/plugins/watu/js/raphael-min.js?ver=/wp-content/plugins/watu/js/chart.js?ver=/wp-content/plugins/watu/js/social-sharing.js?ver=/wp-content/plugins/watu/js/watu-admin.js?ver=/wp-content/plugins/watu/js/exam-options.js?ver=/wp-content/plugins/watu/js/watu-import.js?ver=/wp-content/plugins/watu/js/watu-quiz-editor.js?ver=

HTML / DOM Fingerprints

CSS Classes
watu-quiz-listwatu-exam-questionswatu-quiz-resultswatu-quiz-formwatu-question-itemwatu-answer-itemwatu-progress-barwatu-chart-container+4 more
HTML Comments
<!-- Watu Quiz --><!-- Watu Question --><!-- Watu Answer --><!-- Watu Results -->+1 more
Data Attributes
data-exam-iddata-question-iddata-quiz-worddata-quiz-word-pluraldata-watu-nonce
JS Globals
watu_ajax_urlwatu_quiz_idwatu_exam_datawatu_quiz_settingswatu_user_progress
REST Endpoints
/wp-json/watu/v1/submit-quiz/wp-json/watu/v1/get-quiz-data/wp-json/watu/v1/save-progress
Shortcode Output
[WATU][watu][watushare-buttons][watu-basic-chart]
FAQ

Frequently Asked Questions about Watu Quiz