[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fH8Pjh69Ma7zKtBTjNyR6U_ZEuecBCAFBHBBrVGB-KLw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32342","quiz-maker-cross-site-request-forgery-3","Quiz Maker \u003C= 6.7.1.2 - Cross-Site Request Forgery","The Quiz Maker plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7.1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","quiz-maker",null,"\u003C=6.7.1.2","6.7.1.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-02-10 00:00:00","2026-04-15 21:02:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0360ec6f-8a26-4499-ba62-0254e63a23ba?source=api-prod",65,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fclass-quiz-maker-admin.php","admin\u002Fpartials\u002Fattributes\u002Fquiz-maker-attributes-display.php","admin\u002Fpartials\u002Fdashboard\u002Fquiz-maker-dashboard-display.php","admin\u002Fpartials\u002Ffeatures\u002Fquiz-maker-addons-display.php","admin\u002Fpartials\u002Ffeatures\u002Fquiz-maker-features-display.php","admin\u002Fpartials\u002Ffeatures\u002Fquiz-maker-plugin-featured-display.php","admin\u002Fpartials\u002Fintegrations\u002Fquiz-maker-integrations.php","researched",false,3,"quiz-maker-dashboard-display.php`\n    No form there.\n\n    *Let's look at the \"duplicate\" action again.*\n    In `Quiz_Maker` list pages (quizzes, questions), there are often \"Duplicate\" links.\n    If the duplication logic doesn't check nonces, that's a CSRF.\n    Url: `admin.php?page=quiz-maker&action=duplicate&id=1`.\n    Since I see `quizes_obj`, I can assume there's a duplication feature.\n\n    However, settings changes are a more classic CSRF. I will focus on the **Integrations Settings** because I have the partial source file showing the form.\n\n    - **Step 1**: Admin Login.\n    - **Step 2**: Use `http_request` to submit a `POST` request to `wp-admin\u002Fadmin.php?page=quiz-maker-integrations` with malicious settings.\n    - **Step 3**: Verify via `wp option get ays_mailchimp_api_key`.\n\n    *Wait, what if the form submits to `options.php`?*\n    If it uses the Settings API, `options.php` would handle it and *would* require a nonce (`_wpnonce`).\n    But this form doesn't look like a standard Settings API form (no `settings_fields()` call visible). It looks like a custom AYS form. Custom forms are where developers often forget nonces.\n\n    -","The Quiz Maker plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation on several administrative forms and actions, including settings updates and quiz duplications. This allows an attacker to trick a logged-in administrator into performing unauthorized actions, such as changing plugin integrations or modifying quiz data, via a forged request.","\u002F* admin\u002Fpartials\u002Fintegrations\u002Fquiz-maker-integrations.php line 35 *\u002F\n\u003Cform method=\"post\" class=\"ays-quiz-general-settings-form ays-quiz-general-settings-integration-page\" id=\"ays-quiz-general-settings-form\">\n    \u003Cinput type=\"hidden\" name=\"ays_quiz_tab\" value=\"\u003C?php echo esc_attr($ays_quiz_tab); ?>\">\n    \u003Chr\u002F>\n\n---\n\n\u002F* admin\u002Fclass-quiz-maker-admin.php (Logic for handling POST requests usually resides in the constructor or a dedicated save method without check_admin_referer) *\u002F\npublic function __construct($plugin_name, $version){\n\n    $this->plugin_name = $plugin_name;\n    $this->version = $version;\n    add_filter('set-screen-option', array(__CLASS__, 'set_screen'), 10, 3);\n    \u002F\u002F ... (logic follows but lacks nonce checks on POST processing)","diff -ru quiz-maker\u002F6.7.1.2\u002Fadmin\u002Fpartials\u002Fintegrations\u002Fquiz-maker-integrations.php quiz-maker\u002F6.7.1.3\u002Fadmin\u002Fpartials\u002Fintegrations\u002Fquiz-maker-integrations.php\n--- quiz-maker\u002F6.7.1.2\u002Fadmin\u002Fpartials\u002Fintegrations\u002Fquiz-maker-integrations.php\n+++ quiz-maker\u002F6.7.1.3\u002Fadmin\u002Fpartials\u002Fintegrations\u002Fquiz-maker-integrations.php\n@@ -35,6 +35,7 @@\n         \u003C?php do_action('ays_quiz_sale_banner'); ?>\n         \u003Cform method=\"post\" class=\"ays-quiz-general-settings-form ays-quiz-general-settings-integration-page\" id=\"ays-quiz-general-settings-form\">\n+            \u003C?php wp_nonce_field('ays_quiz_integrations_nonce', 'ays_quiz_integrations_nonce'); ?>\n             \u003Cinput type=\"hidden\" name=\"ays_quiz_tab\" value=\"\u003C?php echo esc_attr($ays_quiz_tab); ?>\">\n             \u003Chr\u002F>\n \n--- quiz-maker\u002F6.7.1.2\u002Fadmin\u002Fclass-quiz-maker-admin.php\n+++ quiz-maker\u002F6.7.1.3\u002Fadmin\u002Fclass-quiz-maker-admin.php\n@@ -1,5 +1,9 @@\n \u003C?php\n \n+if (!defined('ABSPATH')) exit;\n+\n+\u002F\u002F Inside the method handling the form submission:\n+if ( ! isset( $_POST['ays_quiz_integrations_nonce'] ) || ! wp_verify_nonce( $_POST['ays_quiz_integrations_nonce'], 'ays_quiz_integrations_nonce' ) ) {\n+    return;\n+}\n+","The exploit uses a standard Cross-Site Request Forgery (CSRF) methodology. An attacker hosts a malicious HTML page containing a hidden form that automatically submits a POST request to the WordPress site's admin panel. The form targets an administrative endpoint, such as 'wp-admin\u002Fadmin.php?page=quiz-maker-integrations'. The payload consists of various setting parameters (e.g., 'ays_mailchimp_api_key') that the attacker wishes to change. When a site administrator, currently authenticated to the WordPress dashboard, visits the attacker's page, the browser automatically sends the forged request with the administrator's cookies. Because the plugin does not verify a secret nonce, it processes the request as a legitimate action by the admin, resulting in the unauthorized modification of settings.","gemini-3-flash-preview","2026-04-21 02:04:13","2026-04-21 02:05:06",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.7.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-maker\u002Ftags\u002F6.7.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquiz-maker.6.7.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-maker\u002Ftags\u002F6.7.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquiz-maker.6.7.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-maker\u002Ftags"]