Skip to main content

HD Quiz EUVDEUVD-2026-39932

| CVE-2026-13422 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-27 Wordfence GHSA-73vw-76h4-g45m
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network delivery requires no attacker privileges, but mandatory admin interaction (UI:R) and scope-limited low integrity impact accurately reflect the CSRF constraint.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 02:15 vuln.today
CVE Published
Jun 27, 2026 - 01:27 cve.org
MEDIUM 4.3

DescriptionCVE.org

The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the hdq_validate_nonce function (includes/functions.php:39), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in includes/actions-ajax.php. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft forged AJAX request targeting HD Quiz endpoints
Delivery
Deliver malicious link to WordPress site administrator
Exploit
Admin clicks link while authenticated to dashboard
Execution
Browser sends forged POST with valid session cookie
Impact
Plugin executes unauthorized quiz/settings action due to missing nonce check

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress site administrator to be actively authenticated to their WordPress dashboard and to click an attacker-supplied link or visit an attacker-controlled page during that session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) reflects the mandatory user interaction (UI:R) that caps exploitability - an administrator must actively click a malicious link or visit an attacker-controlled page while authenticated to WordPress. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker creates a webpage containing hidden HTML forms or JavaScript auto-submitting forged POST requests targeting the HD Quiz AJAX endpoints (e.g., deleting all quizzes or overwriting plugin settings). The attacker delivers the page URL via email or social media to a WordPress site administrator. …
Remediation No vendor-released patched version is identified in the available data; the highest confirmed vulnerable version is 2.2.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39932 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy