Skip to main content
CVE Vulnerability Database

CVE-2025-9294: Quiz and Survey Master Auth Bypass Flaw

CVE-2025-9294 is an authorization bypass vulnerability in the Quiz and Survey Master WordPress plugin, allowing low-privilege users to delete quiz results. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-9294 Overview

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress contains a Broken Access Control vulnerability due to a missing capability check on the qsm_dashboard_delete_result function. This authorization bypass affects all versions up to and including 10.3.1, enabling authenticated attackers with Subscriber-level access or above to delete quiz results without proper authorization.

Critical Impact

Authenticated attackers with low-privilege Subscriber accounts can delete quiz results, leading to unauthorized data loss and potential disruption of quiz/survey data integrity.

Affected Products

  • Quiz and Survey Master (QSM) plugin for WordPress versions up to and including 10.3.1
  • WordPress installations using vulnerable QSM plugin versions

Discovery Timeline

  • 2026-01-06 - CVE CVE-2025-9294 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-9294

Vulnerability Analysis

This vulnerability is classified as CWE-285 (Improper Authorization). The core issue stems from the qsm_dashboard_delete_result function lacking proper capability checks before executing delete operations on quiz result data. WordPress plugins should implement capability checks using functions like current_user_can() to verify that the requesting user has appropriate permissions before performing privileged actions.

Without this authorization check, any authenticated user—including those with minimal Subscriber-level access—can invoke the delete function and remove quiz results. This violates the principle of least privilege and exposes the plugin to unauthorized data manipulation.

Root Cause

The root cause is the absence of a capability check in the qsm_dashboard_delete_result function within the plugin's admin options page. The function processes delete requests without verifying whether the authenticated user has the necessary administrative permissions to perform such operations. This is a common vulnerability pattern in WordPress plugins where AJAX handlers or admin functions fail to implement proper access controls.

Attack Vector

The attack vector is network-based and requires the attacker to have at least Subscriber-level authentication on the WordPress site. Once authenticated, the attacker can craft requests to the vulnerable function endpoint to delete quiz results. The attack requires no user interaction and has low complexity, as the attacker simply needs to identify the correct function call and submit appropriately formatted requests.

The vulnerability allows modification of data integrity (quiz results deletion) but does not provide direct access to sensitive information or system availability impacts beyond the data loss itself.

Detection Methods for CVE-2025-9294

Indicators of Compromise

  • Unexpected deletion of quiz results, particularly from users without administrative roles
  • Audit logs showing qsm_dashboard_delete_result function calls from Subscriber-level accounts
  • Anomalous patterns of quiz result deletions that don't correlate with legitimate administrative activity

Detection Strategies

  • Monitor WordPress audit logs for quiz result deletion events initiated by non-administrator users
  • Implement file integrity monitoring on the Quiz and Survey Master plugin directory to detect unauthorized modifications
  • Review user activity logs for Subscriber accounts accessing administrative plugin functions
  • Deploy web application firewall (WAF) rules to detect and block suspicious requests to the vulnerable endpoint

Monitoring Recommendations

  • Enable comprehensive WordPress activity logging with plugins that capture user actions and function calls
  • Set up alerts for any quiz result deletion operations from users below Administrator or Editor roles
  • Regularly audit user permissions to ensure Subscriber accounts have not been granted elevated access
  • Monitor for bulk deletion patterns that may indicate exploitation attempts

How to Mitigate CVE-2025-9294

Immediate Actions Required

  • Update the Quiz and Survey Master plugin to a patched version as soon as one becomes available
  • Audit recent quiz result deletions to identify any potential unauthorized data loss
  • Review all Subscriber-level accounts for suspicious activity
  • Consider temporarily disabling the plugin if it's not essential to site operations until a patch is available

Patch Information

A patch addressing this vulnerability should add proper capability checks to the qsm_dashboard_delete_result function. Monitor the WordPress Quiz Master Next plugin repository and the Wordfence vulnerability report for updates on patched versions.

Workarounds

  • Restrict user registration on WordPress sites using the vulnerable plugin to limit the creation of new Subscriber accounts
  • Implement additional access control plugins that provide capability-based restrictions on plugin functions
  • Use a web application firewall to block requests to the vulnerable function endpoint
  • Regularly backup quiz data to enable recovery in case of unauthorized deletions
bash
# Verify installed QSM plugin version via WP-CLI
wp plugin list --name=quiz-master-next --fields=name,version,update_version,status

# Check for available plugin updates
wp plugin update quiz-master-next --dry-run

# Backup current quiz data before applying updates
wp db export qsm-backup-$(date +%Y%m%d).sql --tables=$(wp db tables --all-tables | grep qsm)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.