Skip to main content

Quiz and Survey Master EUVDEUVD-2026-41513

| CVE-2026-9230 MEDIUM
Missing Authorization (CWE-862)
2026-07-03 Wordfence GHSA-j6gj-9v56-qvqx
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

REST API is network-accessible requiring contributor authentication (PR:L); impact is limited to quiz integrity modification with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 08:21 vuln.today
CVE Published
Jul 03, 2026 - 06:50 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership.

AnalysisAI

{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor WordPress credentials
Delivery
Enumerate victim quiz ID from public quiz URLs
Exploit
GET /quiz/structure with victim quiz ID to retrieve nonce
Execution
POST /quizzes/{id}/emails with nonce and attacker email
Persist
Victim quiz notifications rerouted to attacker
Impact
Harvest respondent data via phishing

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with at minimum contributor-level role on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) accurately reflects the bounded impact: network-accessible, low complexity, but requiring a minimum of contributor-level WordPress authentication, with only limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a contributor-level WordPress account on a target site running QSM ≤11.1.4. They enumerate a victim quiz ID (trivially available from public quiz URLs), call GET /quiz/structure with that ID to receive a valid nonce, then immediately submit POST /quizzes/{victim_id}/emails with the nonce and an attacker-controlled email address. …
Remediation The primary remediation is to update the Quiz and Survey Master plugin beyond version 11.1.4; a fix commit is referenced at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3570062%40quiz-master-next&new=3570062%40quiz-master-next, though the exact first patched release version has not been independently confirmed from available data - verify against the WordPress plugin repository changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41513 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy