CVE-2025-63054

MEDIUM
2025-12-09 [email protected]
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.2.

Analysis

Missing authorization in ExpressTech Systems Quiz And Survey Master WordPress plugin through version 10.3.2 allows unauthenticated remote attackers to read sensitive quiz and survey data by exploiting incorrectly configured access control security levels. The vulnerability is assigned CVSS 5.3 (moderate), affects the plugin across multiple versions, and enables unauthorized information disclosure without requiring authentication or user interaction.

Technical Context

CWE-862 (Missing Authorization) identifies the root cause: the plugin fails to enforce proper access control checks before granting access to quiz and survey resources. This is a classic broken access control vulnerability where the application relies on security-through-obscurity or client-side controls rather than server-side authorization validation. The vulnerability affects ExpressTech Systems' Quiz And Survey Master plugin, likely in the WordPress plugin architecture where API endpoints or administrative functions lack proper capability verification before returning sensitive quiz data, survey responses, or configuration details.

Affected Products

ExpressTech Systems Quiz And Survey Master WordPress plugin versions up to and including 10.3.2 are affected. The plugin is available through the WordPress.org plugin repository and is identified by CPE references to the quiz-master-next package. Versions prior to an unspecified patched release contain the missing authorization vulnerability.

Remediation

Update Quiz And Survey Master to the latest patched version released after 10.3.2 through the WordPress plugin dashboard or by downloading directly from the official plugin repository at wordpress.org. If immediate upgrade is not feasible, review and restrict access to quiz and survey administration pages through WordPress user role management, ensuring only authenticated and properly-privileged administrators can access sensitive quiz data and survey responses. Consult Patchstack's vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-1-broken-access-control-vulnerability for technical details and confirmation of the patched version.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-63054 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy