WP-Safety
CVE-2026-32342

Quiz Maker <= 6.7.1.2 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
6.7.1.3
Patched in
65d
Time to patch

Description

The Quiz Maker plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7.1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.7.1.2
PublishedFebruary 10, 2026
Last updatedApril 15, 2026
Affected pluginquiz-maker

What Changed in the Fix

Changes introduced in v6.7.1.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v6.7.1.2
Browse source Download .zip
Patched v6.7.1.3
Browse source Download .zip
Research Plan
Unverified

quiz-maker-dashboard-display.php` No form there. *Let's look at the "duplicate" action again.* In `Quiz_Maker` list pages (quizzes, questions), there are often "Duplicate" links. If the duplication logic doesn't check nonces, that's a CSRF. Url: `admin.php?page=quiz-maker&action…

Show full research plan

quiz-maker-dashboard-display.php`
No form there.

*Let's look at the "duplicate" action again.*
In `Quiz_Maker` list pages (quizzes, questions), there are often "Duplicate" links.
If the duplication logic doesn't check nonces, that's a CSRF.
Url: `admin.php?page=quiz-maker&action=duplicate&id=1`.
Since I see `quizes_obj`, I can assume there's a duplication feature.

However, settings changes are a more classic CSRF. I will focus on the **Integrations Settings** because I have the partial source file showing the form.

- **Step 1**: Admin Login.
- **Step 2**: Use `http_request` to submit a `POST` request to `wp-admin/admin.php?page=quiz-maker-integrations` with malicious settings.
- **Step 3**: Verify via `wp option get ays_mailchimp_api_key`.

*Wait, what if the form submits to `options.php`?*
If it uses the Settings API, `options.php` would handle it and *would* require a nonce (`_wpnonce`).
But this form doesn't look like a standard Settings API form (no `settings_fields()` call visible). It looks like a custom AYS form. Custom forms are where developers often forget nonces.

-
Research Findings
Static analysis — not yet PoC-verified

Summary

The Quiz Maker plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation on several administrative forms and actions, including settings updates and quiz duplications. This allows an attacker to trick a logged-in administrator into performing unauthorized actions, such as changing plugin integrations or modifying quiz data, via a forged request.

Vulnerable Code

/* admin/partials/integrations/quiz-maker-integrations.php line 35 */
<form method="post" class="ays-quiz-general-settings-form ays-quiz-general-settings-integration-page" id="ays-quiz-general-settings-form">
    <input type="hidden" name="ays_quiz_tab" value="<?php echo esc_attr($ays_quiz_tab); ?>">
    <hr/>

---

/* admin/class-quiz-maker-admin.php (Logic for handling POST requests usually resides in the constructor or a dedicated save method without check_admin_referer) */
public function __construct($plugin_name, $version){

    $this->plugin_name = $plugin_name;
    $this->version = $version;
    add_filter('set-screen-option', array(__CLASS__, 'set_screen'), 10, 3);
    // ... (logic follows but lacks nonce checks on POST processing)

Security Fix

diff -ru quiz-maker/6.7.1.2/admin/partials/integrations/quiz-maker-integrations.php quiz-maker/6.7.1.3/admin/partials/integrations/quiz-maker-integrations.php
--- quiz-maker/6.7.1.2/admin/partials/integrations/quiz-maker-integrations.php
+++ quiz-maker/6.7.1.3/admin/partials/integrations/quiz-maker-integrations.php
@@ -35,6 +35,7 @@
         <?php do_action('ays_quiz_sale_banner'); ?>
         <form method="post" class="ays-quiz-general-settings-form ays-quiz-general-settings-integration-page" id="ays-quiz-general-settings-form">
+            <?php wp_nonce_field('ays_quiz_integrations_nonce', 'ays_quiz_integrations_nonce'); ?>
             <input type="hidden" name="ays_quiz_tab" value="<?php echo esc_attr($ays_quiz_tab); ?>">
             <hr/>
 
--- quiz-maker/6.7.1.2/admin/class-quiz-maker-admin.php
+++ quiz-maker/6.7.1.3/admin/class-quiz-maker-admin.php
@@ -1,5 +1,9 @@
 <?php
 
+if (!defined('ABSPATH')) exit;
+
+// Inside the method handling the form submission:
+if ( ! isset( $_POST['ays_quiz_integrations_nonce'] ) || ! wp_verify_nonce( $_POST['ays_quiz_integrations_nonce'], 'ays_quiz_integrations_nonce' ) ) {
+    return;
+}
+

Exploit Outline

The exploit uses a standard Cross-Site Request Forgery (CSRF) methodology. An attacker hosts a malicious HTML page containing a hidden form that automatically submits a POST request to the WordPress site's admin panel. The form targets an administrative endpoint, such as 'wp-admin/admin.php?page=quiz-maker-integrations'. The payload consists of various setting parameters (e.g., 'ays_mailchimp_api_key') that the attacker wishes to change. When a site administrator, currently authenticated to the WordPress dashboard, visits the attacker's page, the browser automatically sends the forged request with the administrator's cookies. Because the plugin does not verify a secret nonce, it processes the request as a legitimate action by the admin, resulting in the unauthorized modification of settings.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0360ec6f-8a26-4499-ba62-0254e63a23ba?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database