ExpressTech Systems Quiz And Survey Master CVE-2025-63054
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.2.
AnalysisAI
Missing authorization in ExpressTech Systems Quiz And Survey Master WordPress plugin through version 10.3.2 allows unauthenticated remote attackers to read sensitive quiz and survey data by exploiting incorrectly configured access control security levels. The vulnerability is assigned CVSS 5.3 (moderate), affects the plugin across multiple versions, and enables unauthorized information disclosure without requiring authentication or user interaction.
Technical ContextAI
CWE-862 (Missing Authorization) identifies the root cause: the plugin fails to enforce proper access control checks before granting access to quiz and survey resources. This is a classic broken access control vulnerability where the application relies on security-through-obscurity or client-side controls rather than server-side authorization validation. The vulnerability affects ExpressTech Systems' Quiz And Survey Master plugin, likely in the WordPress plugin architecture where API endpoints or administrative functions lack proper capability verification before returning sensitive quiz data, survey responses, or configuration details.
Affected ProductsAI
ExpressTech Systems Quiz And Survey Master WordPress plugin versions up to and including 10.3.2 are affected. The plugin is available through the WordPress.org plugin repository and is identified by CPE references to the quiz-master-next package. Versions prior to an unspecified patched release contain the missing authorization vulnerability.
RemediationAI
Update Quiz And Survey Master to the latest patched version released after 10.3.2 through the WordPress plugin dashboard or by downloading directly from the official plugin repository at wordpress.org. If immediate upgrade is not feasible, review and restrict access to quiz and survey administration pages through WordPress user role management, ensuring only authenticated and properly-privileged administrators can access sensitive quiz data and survey responses. Consult Patchstack's vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-1-broken-access-control-vulnerability for technical details and confirmation of the patched version.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today