Skip to main content

ExpressTech Systems Quiz And Survey Master CVE-2025-63054

MEDIUM
Missing Authorization (CWE-862)
2025-12-09 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.2.

AnalysisAI

Missing authorization in ExpressTech Systems Quiz And Survey Master WordPress plugin through version 10.3.2 allows unauthenticated remote attackers to read sensitive quiz and survey data by exploiting incorrectly configured access control security levels. The vulnerability is assigned CVSS 5.3 (moderate), affects the plugin across multiple versions, and enables unauthorized information disclosure without requiring authentication or user interaction.

Technical ContextAI

CWE-862 (Missing Authorization) identifies the root cause: the plugin fails to enforce proper access control checks before granting access to quiz and survey resources. This is a classic broken access control vulnerability where the application relies on security-through-obscurity or client-side controls rather than server-side authorization validation. The vulnerability affects ExpressTech Systems' Quiz And Survey Master plugin, likely in the WordPress plugin architecture where API endpoints or administrative functions lack proper capability verification before returning sensitive quiz data, survey responses, or configuration details.

Affected ProductsAI

ExpressTech Systems Quiz And Survey Master WordPress plugin versions up to and including 10.3.2 are affected. The plugin is available through the WordPress.org plugin repository and is identified by CPE references to the quiz-master-next package. Versions prior to an unspecified patched release contain the missing authorization vulnerability.

RemediationAI

Update Quiz And Survey Master to the latest patched version released after 10.3.2 through the WordPress plugin dashboard or by downloading directly from the official plugin repository at wordpress.org. If immediate upgrade is not feasible, review and restrict access to quiz and survey administration pages through WordPress user role management, ensuring only authenticated and properly-privileged administrators can access sensitive quiz data and survey responses. Consult Patchstack's vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-1-broken-access-control-vulnerability for technical details and confirmation of the patched version.

Share

CVE-2025-63054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy