[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqATaZv6jC9ET8DUKhx7Vtyx-QJgdpdrKiSGPh7cpSsc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-25329","quiz-and-survey-master-qsm-easy-quiz-and-survey-maker-missing-authorization","Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker \u003C= 10.3.4 - Missing Authorization","The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 10.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","quiz-master-next",null,"\u003C=10.3.4","10.3.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-05 00:00:00","2026-05-04 15:26:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2368e46a-022c-4829-80f1-7d010e8587ed?source=api-prod",89,[22,23,24,25,26],"js\u002Fqsm-admin.js","mlw_quizmaster2.php","php\u002Fclasses\u002Fclass-qmn-quiz-manager.php","php\u002Fclasses\u002Fclass-qsm-migrate.php","readme.txt","researched",false,3,"This research plan targets a missing authorization vulnerability in **Quiz and Survey Master (QSM) \u003C= 10.3.4**. Specifically, it exploits the `enable_multiple_categories` AJAX action, which lacks a capability check and incorrectly relies on the generic `wp_rest` nonce, making it accessible to any authenticated user, including those with **Subscriber** roles.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization.\n*   **Vulnerable Function:** `QSM_Migrate::enable_multiple_categories`.\n*   **File Path:** `php\u002Fclasses\u002Fclass-qsm-migrate.php`.\n*   **Root Cause:** The function verifies a nonce (`wp_rest`) and checks `is_admin()`. However, `is_admin()` only checks if the current request is for an admin screen (which includes `admin-ajax.php`) and is **not** a capability check. No `current_user_can()` check is performed, allowing any authenticated user to modify plugin settings or trigger database operations.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **Action:** `enable_multiple_categories`.\n*   **Method:** `POST`.\n*   **Authentication:** Required (Subscriber or higher).\n*   **Required Parameter:** `nonce` (must be a valid `wp_rest` nonce).\n*   **Payload Parameter:** `value=cancel` (to modify the `qsm_multiple_category_enabled` option).\n\n### 3. Code Flow\n1.  **Entry Point:** `wp-admin\u002Fadmin-ajax.php` receives a request with `action=enable_multiple_categories`.\n2.  **Hook Registration:** `QSM_Migrate::__construct` (in `php\u002Fclasses\u002Fclass-qsm-migrate.php`) registers the action:\n    `add_action( 'wp_ajax_enable_multiple_categories', array( $this, 'enable_multiple_categories' ) );`.\n3.  **Vulnerable Function Call:** `enable_multiple_categories()` is executed.\n4.  **Insufficient Verification:** \n    *   It checks `$_POST['nonce']` against `'wp_rest'`. Any logged-in user can obtain a `wp_rest` nonce as it is used by the standard WordPress REST API.\n    *   It does **not** check for a specific capability (e.g., `manage_options`).\n5.  **Sink:** If `$_POST['value']` is `'cancel'`, it executes:\n    `update_option( 'qsm_multiple_category_enabled', 'cancelled' );`.\n\n### 4. Nonce Acquisition Strategy\nThe endpoint requires a `wp_rest` nonce. WordPress typically localizes this for the REST API in the admin dashboard.\n1.  **Identify Trigger:** The `wp_rest` nonce is standard for any user logged into the WordPress dashboard.\n2.  **Navigation:** Navigate to a standard admin page accessible to Subscribers, such as `wp-admin\u002Fprofile.php`.\n3.  **Extraction:** Use `browser_eval` to extract the nonce from the `wpApiSettings` global object or the `wp-api-js-extra` script block.\n    *   **JS Command:** `window.wpApiSettings?.nonce` or `window._wpnonce`.\n\n### 5. Exploitation Strategy\n1.  **Authentication:** Log in as a Subscriber.\n2.  **Nonce Retrieval:** Navigate to `\u002Fwp-admin\u002Fprofile.php` and execute `browser_eval(\"window.wpApiSettings.nonce\")` to get the `wp_rest` nonce.\n3.  **Execute Payload:** Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using the `http_request` tool.\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`.\n    *   **Body:** `action=enable_multiple_categories&nonce=[EXTRACTED_NONCE]&value=cancel`.\n4.  **Alternative (High Impact):** If a `qmn_failed_submission` nonce is discovered (check localized scripts in `wp-admin\u002Fadmin.php?page=mlw_quizmaster_results`), the same logic can be applied to `qsm_action_failed_submission_table` to trash arbitrary posts.\n\n### 6. Test Data Setup\n1.  **Plugin Configuration:** Ensure the plugin is active and configured.\n2.  **Initial State:** Ensure the option `qsm_multiple_category_enabled` is NOT set to `'cancelled'`.\n    *   `wp option update qsm_multiple_category_enabled 0`\n3.  **User Creation:** Create a subscriber user:\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n\n### 7. Expected Results\n*   The AJAX request should return a JSON success response: `{\"success\":true}`.\n*   The WordPress option `qsm_multiple_category_enabled` will be updated to the string `'cancelled'`.\n\n### 8. Verification Steps\n1.  **WP-CLI Check:** Verify the option value after the exploit.\n    *   `wp option get qsm_multiple_category_enabled`\n    *   **Expected Output:** `cancelled`.\n2.  **Audit Logs:** If audit logging is active, check for the unauthorized change.\n\n### 9. Alternative Approaches\nIf the `wp_rest` nonce is not easily found:\n*   **REST API Discovery:** Check `\u002Fwp-json\u002F` headers for a `X-WP-Nonce`.\n*   **Other vulnerable endpoints:**\n    *   `qsm_check_fix_db` (action) using nonce `qmn_check_db`.\n    *   `qsm_action_failed_submission_table` (action) using nonce `qmn_failed_submission`.\n    These also lack capability checks in `class-qmn-quiz-manager.php`. If a Subscriber can access a page where these nonces are localized (via `wp_localize_script`), they can exploit these endpoints to trigger SQL (ALTER TABLE) or trash posts.","gemini-3-flash-preview","2026-05-04 20:15:50","2026-05-04 20:16:33",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","10.3.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-master-next\u002Ftags\u002F10.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquiz-master-next.10.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-master-next\u002Ftags\u002F10.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquiz-master-next.10.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-master-next\u002Ftags"]