WP-Safety
CVE-2026-25324

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker <= 10.3.4 - Unauthenticated Insecure Direct Object Reference

mediumAuthorization Bypass Through User-Controlled Key
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
10.3.5
Patched in
93d
Time to patch

Description

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.3.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to [describe the impact of the vulnerability].

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=10.3.4
PublishedFebruary 1, 2026
Last updatedMay 4, 2026
Affected pluginquiz-master-next

What Changed in the Fix

Changes introduced in v10.3.5

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v10.3.4
Browse source Download .zip
Patched v10.3.5
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-25324 ## 1. Vulnerability Summary The **Quiz and Survey Master (QSM)** plugin for WordPress is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)** in versions up to and including 10.3.4. The flaw exists in the `QMNQuizManager::qsm_cre…

Show full research plan

Exploitation Research Plan - CVE-2026-25324

1. Vulnerability Summary

The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to an Unauthenticated Insecure Direct Object Reference (IDOR) in versions up to and including 10.3.4. The flaw exists in the QMNQuizManager::qsm_create_quiz_nonce AJAX handler (registered via wp_ajax_nopriv_qsm_create_quiz_nonce), which allows any user to generate a valid security nonce for any quiz by providing a quiz_id. This leaked nonce can then be used to perform actions on quizzes—such as submitting results or potentially manipulating existing ones—without proper authorization or ownership checks.

2. Attack Vector Analysis

  • Endpoints:
    • /wp-admin/admin-ajax.php?action=qsm_create_quiz_nonce (Nonce leak)
    • /wp-admin/admin-ajax.php?action=qmn_process_quiz (Privileged action)
  • Parameters:
    • quiz_id: The ID of the quiz to target.
    • nonce: The leaked nonce obtained from the first endpoint.
  • Authentication: Unauthenticated (None).
  • Preconditions: A quiz must exist in the system (default quizzes are often created upon installation).

3. Code Flow

  1. Entry Point (Leak): `QMNQuizManager::add
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a67ab966-c179-4ea6-bf8c-bc22f9b4644b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database