WP-Safety

WpCues Basic Quiz Security & Risk Analysis

wordpress.org/plugins/wpcues-basic-quiz

Create math / html / multimedia rich quiz. Award Mozilla Open Badges, Create colorful charts / leader boards and sell your quizzes using stripe.

10 active installs v1.6.5 PHP + WP 3.5+ Updated Unknown
exammobilequizsurveytest
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is WpCues Basic Quiz Safe to Use in 2026?

Generally Safe

Score 100/100

WpCues Basic Quiz has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The wpcues-basic-quiz plugin v1.6.5 exhibits a mixed security posture. While it demonstrates strong adherence to secure coding practices by utilizing prepared statements for the vast majority of its SQL queries and implementing capability checks on a significant number of entry points, several areas raise considerable concern. The plugin's attack surface is substantial, with a large number of unprotected AJAX handlers representing a prime vector for unauthorized access and manipulation. Furthermore, the presence of unsanitized paths in a significant portion of taint flows, coupled with the use of the `unserialize` function, indicates a high risk of remote code execution or data corruption if these flows are exploitable. The absence of any recorded vulnerabilities in its history is a positive indicator of past security, suggesting that developers may have a general awareness of secure coding. However, this historical data does not negate the immediate risks identified in the static and taint analysis of the current version.

Key Concerns

  • Unprotected AJAX handlers
  • Taint flows with unsanitized paths
  • Dangerous function 'unserialize'
  • Low percentage of properly escaped output
  • Low number of nonce checks
Vulnerabilities
None known

WpCues Basic Quiz Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WpCues Basic Quiz Code Analysis

Dangerous Functions
27
Raw SQL Queries
20
176 prepared
Unescaped Output
373
108 escaped
Nonce Checks
2
Capability Checks
44
File Operations
0
External Requests
1
Bundled Libraries
2

Dangerous Functions Found

unserialize$questmeta=unserialize($question->post_content);admin\templates\addnewquestion.php:47
unserializeif(!(empty($gradegroupid))){$gradegroup=get_post($gradegroupid);$gradegroupcontent=unserialize($gradadmin\templates\createquiz.php:109
unserialize$gradegroup=get_post($gradegroupid);$grademeta=unserialize($gradegroup->post_content);admin\templates\crtificate.php:7
unserialize$entitymeta=unserialize($entitypost->post_content);admin\templates\quizstat.php:151
unserialize$postcontent=unserialize($post->post_content);admin\templates\report.php:61
unserialize$postcontent=unserialize($post->post_content);admin\templates\report.php:124
unserialize$postcontent=unserialize($post->post_content);admin\templates\report.php:182
unserialize$grademeta=unserialize($gradepost->post_content);admin\wpcue_quiz_admin.php:625
unserialize$post=get_post($postid);$postmeta=unserialize($post->post_content);common\classes\wpcue_basic_chart.php:86
unserialize$postcontent=unserialize($post->post_content);common\classes\wpcue_basic_chart.php:105
unserialize$chartoptions=unserialize($chart->post_content);common\classes\wpcue_basic_chart.php:123
unserialize$grademeta=unserialize($gradegroup->post_content);common\classes\wpcue_basic_chart.php:137
unserialize$grademeta=unserialize($instance->post_content);common\classes\wpcue_basic_gradegroup.php:125
unserializeif(!(is_null($gradegroup))){$gradegroupcontent=unserialize($gradegroup->post_content);}common\classes\wpcue_basic_gradegroup.php:273
unserialize$postcontent=unserialize($post->post_content);common\classes\wpcue_basic_leaderboard.php:69
unserialize$option=unserialize($leaderboard->post_content);common\classes\wpcue_basic_leaderboard.php:94
unserialize$answerar['la']=unserialize(stripslashes($output['lanswerids-'.$entityid]));common\classes\wpcue_basic_match.php:177
unserialize$answerar['ra']=unserialize(stripslashes($output['ranswerids-'.$entityid]));common\classes\wpcue_basic_match.php:178
unserialize$entitymeta=unserialize($entitypost->post_content);common\classes\wpcue_basic_question.php:228
unserialize$questmeta=unserialize($instance->post_content);common\classes\wpcue_basic_questionpost.php:156
unserialize$questmeta=unserialize($question->post_content);common\classes\wpcue_basic_questionpost.php:227
unserialize<div class='rowshort'><p><?php $questcontent=unserialize($quest->post_content);common\classes\wpcue_basic_questionpost.php:309
unserialize$instancemeta=unserialize($questions[$instanceid]->post_content);}common\classes\wpcue_basic_quiz.php:223
unserialize$questmeta=unserialize($questions[$questionid]->post_content);}common\classes\wpcue_basic_quiz.php:227
unserialize$entitymeta=unserialize($entitypost->post_content);common\classes\wpcue_quiz_plugin.php:195
unserialize$gradegroupid=$quizmeta['quizgrade'][0];$gradegroup=get_post($gradegroupid);$gradegroupcontent=unsercommon\classes\wpcue_quiz_plugin.php:293
unserialize$gradegroup=get_post($gradegroupid);$grademeta=unserialize($gradegroup->post_content);public\wpcue_quiz_public.php:269

Bundled Libraries

TinyMCEjQuery

SQL Query Safety

90% prepared196 total queries

Output Escaping

22% escaped481 total outputs
Data Flows
19 unsanitized

Data Flow Analysis

25 flows19 with unsanitized paths
add_grade (common\classes\wpcue_basic_gradegroup.php:169)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
37 unprotected

WpCues Basic Quiz Attack Surface

Entry Points47
Unprotected37

AJAX Handlers 43

authwp_ajax_dynamic_cssadmin\wpcue_quiz_admin.php:27
authwp_ajax_wpcuequizgetquizresult_actionadmin\wpcue_quiz_admin.php:29
noprivwp_ajax_wpcuequizgetquizresult_actionadmin\wpcue_quiz_admin.php:30
authwp_ajax_wpcuequizstartquiz_actionadmin\wpcue_quiz_admin.php:31
noprivwp_ajax_wpcuequizstartquiz_actionadmin\wpcue_quiz_admin.php:32
authwp_ajax_addbadge_actioncommon\classes\wpcue_basic_badge.php:20
authwp_ajax_trashbadge_actioncommon\classes\wpcue_basic_badge.php:21
authwp_ajax_wpcuequizbadgesuccess_actioncommon\classes\wpcue_basic_badge.php:25
authwp_ajax_wpcuequizaddcerti_actioncommon\classes\wpcue_basic_certificate.php:17
authwp_ajax_wpcuequiztrashcerti_actioncommon\classes\wpcue_basic_certificate.php:18
authwp_ajax_wpcuequizaddchart_actioncommon\classes\wpcue_basic_chart.php:19
authwp_ajax_wpcuequizdeletechart_actioncommon\classes\wpcue_basic_chart.php:20
authwp_ajax_wpcuequizretrievechartinfo_actioncommon\classes\wpcue_basic_chart.php:21
authwp_ajax_wpcuequiztrasherror_actioncommon\classes\wpcue_basic_error.php:20
authwp_ajax_wpcuequizquestiondropdown_actioncommon\classes\wpcue_basic_error.php:21
authwp_ajax_wpcuequizaddgradegroup_actioncommon\classes\wpcue_basic_gradegroup.php:18
authwp_ajax_wpcuequizaddgrade_actioncommon\classes\wpcue_basic_gradegroup.php:19
authwp_ajax_wpcuequizeditgradegroup_actioncommon\classes\wpcue_basic_gradegroup.php:20
authwp_ajax_wpcuequizsavegradegroup_actioncommon\classes\wpcue_basic_gradegroup.php:21
authwp_ajax_wpcuequizremovegradegroup_actioncommon\classes\wpcue_basic_gradegroup.php:22
authwp_ajax_wpcuequizaddleaderboard_actioncommon\classes\wpcue_basic_leaderboard.php:20
authwp_ajax_wpcuequizretrieveleaderboardinfo_actioncommon\classes\wpcue_basic_leaderboard.php:21
authwp_ajax_wpcuequizdeleteleaderboard_actioncommon\classes\wpcue_basic_leaderboard.php:22
authwp_ajax_addlevel_actioncommon\classes\wpcue_basic_level.php:21
authwp_ajax_trashlevel_actioncommon\classes\wpcue_basic_level.php:22
authwp_ajax_addproduct_actioncommon\classes\wpcue_basic_product.php:19
authwp_ajax_trashproduct_actioncommon\classes\wpcue_basic_product.php:20
authwp_ajax_wpcuefetchitemlist_pageactioncommon\classes\wpcue_basic_product.php:21
authwp_ajax_wpcuesaveitemlist_pageactioncommon\classes\wpcue_basic_product.php:22
authwp_ajax_wpcueremove_itemcommon\classes\wpcue_basic_product.php:23
authwp_ajax_wpcuequizsavequestion_actioncommon\classes\wpcue_basic_questionpost.php:18
authwp_ajax_wpcuequizeditquestion_actioncommon\classes\wpcue_basic_questionpost.php:19
authwp_ajax_wpcuequizaddquestion_actioncommon\classes\wpcue_basic_questionpost.php:20
authwp_ajax_wpcuequizaddinitialanswer_actioncommon\classes\wpcue_basic_questionpost.php:21
authwp_ajax_wpcuequizaddsecondaryanswer_actioncommon\classes\wpcue_basic_questionpost.php:22
authwp_ajax_wpcuequizaddanswer_actioncommon\classes\wpcue_basic_questionpost.php:23
authwp_ajax_wpcuequizremovequestion_actioncommon\classes\wpcue_basic_questionpost.php:24
authwp_ajax_wpcuequizchangequestorder_actioncommon\classes\wpcue_basic_questionpost.php:25
authwp_ajax_wpcuequizchangeansorder_actioncommon\classes\wpcue_basic_questionpost.php:26
authwp_ajax_wpcuequizsavequiz_actioncommon\classes\wpcue_basic_quiz.php:19
authwp_ajax_wpcuequizadddepgrade_actioncommon\classes\wpcue_basic_quiz.php:20
authwp_ajax_wpcuequizremdepgrade_actioncommon\classes\wpcue_basic_quiz.php:21
authwp_ajax_wpcuequizsavequizcategory_actioncommon\classes\wpcue_basic_quiz.php:22

Shortcodes 4

[wpcuebasicchart] common\classes\wpcue_basic_chart.php:22
[wpcuebasicleader] common\classes\wpcue_basic_leaderboard.php:23
[wpcuebasicproduct] common\classes\wpcue_basic_product.php:24
[wpcuebasicquiz] public\wpcue_quiz_public.php:28
WordPress Hooks 94
filtermanage_wpcuebasicquiz_posts_columnsadmin\classes\wpcue_quiz_action.php:15
actionmanage_wpcuebasicquiz_posts_custom_columnadmin\classes\wpcue_quiz_action.php:16
filterpost_row_actionsadmin\classes\wpcue_quiz_action.php:18
actionrestrict_manage_postsadmin\classes\wpcue_quiz_action.php:21
filterparse_queryadmin\classes\wpcue_quiz_action.php:22
filterget_edit_post_linkadmin\classes\wpcue_quiz_action.php:23
actionadmin_headadmin\classes\wpcue_quiz_action.php:24
actionadmin_initadmin\classes\wpcue_quiz_setting.php:15
actionadmin_footeradmin\templates\adderror.php:72
actionadmin_footeradmin\templates\adderror.php:76
actionadmin_footeradmin\templates\addnewquestion.php:34
actionadmin_footeradmin\templates\addnewquestion.php:39
actionadmin_footeradmin\templates\addnewsection.php:36
actionadmin_footeradmin\templates\addnewsection.php:41
actionadmin_footeradmin\templates\createquiz.php:33
actionadmin_footeradmin\templates\createquiz.php:38
actionadmin_footeradmin\templates\edit-badge-form.php:86
actionadmin_footeradmin\templates\edit-badge-form.php:90
actionadmin_footeradmin\templates\edit-certificate-form.php:63
actionadmin_footeradmin\templates\edit-certificate-form.php:67
actionadmin_footeradmin\templates\edit-level-form.php:68
actionadmin_footeradmin\templates\edit-level-form.php:72
actionadmin_footeradmin\templates\edit-product-form.php:42
actionadmin_footeradmin\templates\edit-product-form.php:46
actioninitadmin\wpcue_quiz_admin.php:14
actionadmin_menuadmin\wpcue_quiz_admin.php:16
actionpre_update_option_wpcuequiz_settingadmin\wpcue_quiz_admin.php:17
actionwp_kses_allowed_htmladmin\wpcue_quiz_admin.php:18
actionadmin_initadmin\wpcue_quiz_admin.php:28
actionload-edit-tags.phpadmin\wpcue_quiz_admin.php:161
actionadmin_enqueue_scriptsadmin\wpcue_quiz_admin.php:172
actionadmin_enqueue_scriptsadmin\wpcue_quiz_admin.php:175
actionadmin_enqueue_scriptsadmin\wpcue_quiz_admin.php:180
filtertiny_mce_before_initadmin\wpcue_quiz_admin.php:250
filtermce_external_pluginsadmin\wpcue_quiz_admin.php:251
filtermce_buttonsadmin\wpcue_quiz_admin.php:252
actionadmin_enqueue_scriptsadmin\wpcue_quiz_admin.php:253
actionadmin_enqueue_scriptsadmin\wpcue_quiz_admin.php:349
filterwp_mail_content_typeadmin\wpcue_quiz_admin.php:675
filterwp_mail_content_typeadmin\wpcue_quiz_admin.php:682
actioninitcommon\classes\wpcue_basic_badge.php:15
filtermanage_wpcuebasicbadge_posts_columnscommon\classes\wpcue_basic_badge.php:16
actionmanage_wpcuebasicbadge_posts_custom_columncommon\classes\wpcue_basic_badge.php:17
actionschedule_wpcuebadgelevel_croncommon\classes\wpcue_basic_badge.php:18
filterpost_row_actionscommon\classes\wpcue_basic_badge.php:19
filterget_edit_post_linkcommon\classes\wpcue_basic_badge.php:22
actionadmin_headcommon\classes\wpcue_basic_badge.php:23
actionupdate_option_wpcuequiz_settingcommon\classes\wpcue_basic_badge.php:24
filterwp_mail_content_typecommon\classes\wpcue_basic_badge.php:417
filterwp_mail_content_typecommon\classes\wpcue_basic_badge.php:427
filterwp_mail_content_typecommon\classes\wpcue_basic_badge.php:448
filterwp_mail_content_typecommon\classes\wpcue_basic_badge.php:464
actioninitcommon\classes\wpcue_basic_certificate.php:15
filterpost_row_actionscommon\classes\wpcue_basic_certificate.php:16
filterget_edit_post_linkcommon\classes\wpcue_basic_certificate.php:19
actionadmin_headcommon\classes\wpcue_basic_certificate.php:20
actioninitcommon\classes\wpcue_basic_chart.php:17
actioninitcommon\classes\wpcue_basic_error.php:16
filterget_edit_post_linkcommon\classes\wpcue_basic_error.php:17
actionadmin_headcommon\classes\wpcue_basic_error.php:18
actiondelete_postcommon\classes\wpcue_basic_error.php:19
actioninitcommon\classes\wpcue_basic_gradegroup.php:17
filtertiny_mce_before_initcommon\classes\wpcue_basic_gradegroup.php:23
filtermce_external_pluginscommon\classes\wpcue_basic_gradegroup.php:24
filtermce_buttonscommon\classes\wpcue_basic_gradegroup.php:25
filterget_edit_post_linkcommon\classes\wpcue_basic_gradegroup.php:26
actionadmin_headcommon\classes\wpcue_basic_gradegroup.php:27
actioninitcommon\classes\wpcue_basic_leaderboard.php:18
actioninitcommon\classes\wpcue_basic_level.php:17
filtermanage_wpcuebasiclevel_posts_columnscommon\classes\wpcue_basic_level.php:18
actionmanage_wpcuebasiclevel_posts_custom_columncommon\classes\wpcue_basic_level.php:19
filterpost_row_actionscommon\classes\wpcue_basic_level.php:20
filterget_edit_post_linkcommon\classes\wpcue_basic_level.php:23
actionadmin_headcommon\classes\wpcue_basic_level.php:24
actioninitcommon\classes\wpcue_basic_product.php:17
filterpost_row_actionscommon\classes\wpcue_basic_product.php:18
filterget_edit_post_linkcommon\classes\wpcue_basic_product.php:25
actionadmin_headcommon\classes\wpcue_basic_product.php:26
filtermanage_wpcuebasicproduct_posts_columnscommon\classes\wpcue_basic_product.php:27
actionmanage_wpcuebasicproduct_posts_custom_columncommon\classes\wpcue_basic_product.php:28
filterquery_varscommon\classes\wpcue_basic_product.php:29
actiontemplate_redirectcommon\classes\wpcue_basic_product.php:30
actioninitcommon\classes\wpcue_basic_questionpost.php:17
filterget_edit_post_linkcommon\classes\wpcue_basic_questionpost.php:27
actionadmin_headcommon\classes\wpcue_basic_questionpost.php:28
actioninitcommon\classes\wpcue_basic_quiz.php:17
actionbefore_delete_postcommon\classes\wpcue_basic_quiz.php:18
actioninitcommon\classes\wpcue_basic_section.php:16
filterget_edit_post_linkcommon\classes\wpcue_basic_section.php:17
actionadmin_headcommon\classes\wpcue_basic_section.php:18
filterthe_contentpublic\wpcue_quiz_public.php:15
actiontemplate_redirectpublic\wpcue_quiz_public.php:16
actioninitpublic\wpcue_quiz_public.php:17
filterquery_varspublic\wpcue_quiz_public.php:18

Scheduled Events 1

schedule_wpcuebadgelevel_cron
Maintenance & Trust

WpCues Basic Quiz Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedUnknown
PHP min version
Downloads5K

Community Trust

Rating98/100
Number of ratings8
Active installs10
Alternatives

WpCues Basic Quiz Alternatives

Watu Quiz

Watu Quiz

watu

A
88

Creates exams, surveys, and quizzes with unlimited number of questions and answers. Mobile/touch - friendly.

3K 17 CVEs
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

quiz-master-next

B
76

Create quizzes, surveys, and tests easily on WordPress with this versatile plugin. Perfect for engaging any audience and gathering valuable insights!

40K 57 CVEs
Chained Quiz

Chained Quiz

chained-quiz

A
91

Create a quiz where the next question depends on the answer to the previous question. Final quiz results depend on the amount of collected points.

1K 24 CVEs
Quiz Creator – Easy Quiz, Survey & Test Maker

Quiz Creator – Easy Quiz, Survey & Test Maker

quiz-creator

A
100

Create and manage interactive quizzes with multiple question types, automatic scoring, timed quizzes, and email notifications.

20 No CVEs
Watu to MailChimp

Watu to MailChimp

watu-bridge-to-mailchimp

A
85

A bridge between the Watu Quiz plugin and MailChimp /*** This program is free software: you can redistribute it and/or modify it under the terms of &hellip;

10 No CVEs
Developer Profile

WpCues Basic Quiz Developer Profile

wpcues

1 plugin · 10 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WpCues Basic Quiz

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpcues-basic-quiz/admin/css/olderwp-spinner.css
Version Parameters
wpcues-basic-quiz/admin/css/olderwp-spinner.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpcue_quiz_settingwpcue_quiz_actionwpcue_quiz_baseWpCueQuiz_AdminWpCueQuiz_PublicWpCueQuiz_ConfigWpCueBasicQuizWpCueBasicBadge
HTML Comments
<!-- Show author specific posts and comments --><!-- admin-menu pages --><!-- Include Classes --><!-- Add mathslate plugin to tinymce editors -->
Data Attributes
data-wpcuequiz-quiziddata-wpcuequiz-questioniddata-wpcuequiz-quiztypedata-wpcuequiz-questiondata-wpcuequiz-answerdata-wpcuequiz-totalquestions
JS Globals
WpCueQuizwpCueQuizAjax
REST Endpoints
/wp-json/wpcues-basic-quiz/v1/quizzes/wp-json/wpcues-basic-quiz/v1/quizzes/<id>
Shortcode Output
[wpcue_quiz id="1"][wpcue_quiz][wpcue_quiz_results]
FAQ

Frequently Asked Questions about WpCues Basic Quiz