Description

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload.

Related CPE's

a

expresstech

quiz_and_survey_master

*

*

*

*

*

wordpress

Vulnerable

References

https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L1987

Product

https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L281

Product

https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/88a9abf4-62a9-4695-87e7-18ff0b0075e9?source=cve

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-862

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.5 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-06T10:15:48.940Z

4 days ago

Last modified

2026-01-09T13:25:57.263Z

34 hours ago