Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
REST API is network-accessible requiring contributor authentication (PR:L); impact is limited to quiz integrity modification with no confidentiality or availability loss.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership.
AnalysisAI
{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with at minimum contributor-level role on the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) accurately reflects the bounded impact: network-accessible, low complexity, but requiring a minimum of contributor-level WordPress authentication, with only limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already holds a contributor-level WordPress account on a target site running QSM ≤11.1.4. They enumerate a victim quiz ID (trivially available from public quiz URLs), call GET /quiz/structure with that ID to receive a valid nonce, then immediately submit POST /quizzes/{victim_id}/emails with the nonce and an attacker-controlled email address. … |
| Remediation | The primary remediation is to update the Quiz and Survey Master plugin beyond version 11.1.4; a fix commit is referenced at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3570062%40quiz-master-next&new=3570062%40quiz-master-next, though the exact first patched release version has not been independently confirmed from available data - verify against the WordPress plugin repository changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41513
GHSA-j6gj-9v56-qvqx