Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Network delivery requires no attacker privileges, but mandatory admin interaction (UI:R) and scope-limited low integrity impact accurately reflect the CSRF constraint.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the hdq_validate_nonce function (includes/functions.php:39), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in includes/actions-ajax.php. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a WordPress site administrator to be actively authenticated to their WordPress dashboard and to click an attacker-supplied link or visit an attacker-controlled page during that session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) reflects the mandatory user interaction (UI:R) that caps exploitability - an administrator must actively click a malicious link or visit an attacker-controlled page while authenticated to WordPress. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker creates a webpage containing hidden HTML forms or JavaScript auto-submitting forged POST requests targeting the HD Quiz AJAX endpoints (e.g., deleting all quizzes or overwriting plugin settings). The attacker delivers the page URL via email or social media to a WordPress site administrator. … |
| Remediation | No vendor-released patched version is identified in the available data; the highest confirmed vulnerable version is 2.2.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when g
The HD Quiz WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high priv
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harmonic Design HD
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39932
GHSA-73vw-76h4-g45m