CVE-2025-9637 Overview
The Quiz and Survey Master (QSM) plugin for WordPress contains a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to access and modify data without proper capability checks. This authorization bypass affects multiple functions within the plugin, enabling attackers to view unpublished, private, or password-protected quizzes and submit file responses to questions that allow file uploads.
Critical Impact
Unauthenticated attackers can access protected quiz content and exploit file upload functionality, potentially leading to information disclosure and unauthorized data modification on affected WordPress sites.
Affected Products
- Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress versions up to and including 10.3.1
Discovery Timeline
- January 6, 2026 - CVE-2025-9637 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-9637
Vulnerability Analysis
This vulnerability stems from a fundamental access control flaw where the Quiz and Survey Master plugin fails to implement proper capability and status checks on multiple functions. The missing authorization checks allow unauthenticated users to bypass intended access restrictions entirely.
The vulnerability affects the quiz management class and REST API endpoints within the plugin. When an attacker sends requests to these endpoints, the application does not verify whether the user has appropriate permissions or whether the targeted quiz is in a published state. This allows attackers to enumerate and access quiz data that should be restricted based on publication status (unpublished, private, or password-protected).
Furthermore, the file upload functionality associated with quiz question responses lacks the same authorization controls, enabling attackers to submit files to protected quizzes. This creates both an information disclosure risk through quiz content access and a potential data integrity issue through unauthorized file submissions.
Root Cause
The root cause is a missing authorization check (CWE-862) in multiple functions within the class-qmn-quiz-manager.php file and REST API handlers. The plugin's functions do not properly verify user capabilities before allowing access to quiz data or processing file submissions. Additionally, there are no status checks to validate whether a quiz is in a published state before serving its content to requesting users.
Attack Vector
The vulnerability is exploitable remotely over the network without authentication. An attacker can craft HTTP requests directly to the affected REST API endpoints or quiz management functions to:
- Enumerate available quizzes regardless of their publication status
- Retrieve details of unpublished, private, or password-protected quizzes
- Submit file responses to quiz questions that accept file uploads
The attack requires no user interaction and can be executed by sending crafted requests to the vulnerable WordPress installation. Technical details of the affected code paths can be found in the WordPress Quiz Manager Class and REST API implementation.
Detection Methods for CVE-2025-9637
Indicators of Compromise
- Unusual access patterns to QSM REST API endpoints from unauthenticated sessions
- Log entries showing access to quiz data by users without WordPress authentication cookies
- Unexpected file uploads associated with quiz submissions from anonymous users
- Access to quizzes with unpublished, draft, or private status through API endpoints
Detection Strategies
- Monitor WordPress access logs for requests to /wp-json/ endpoints related to QSM plugin from unauthenticated sources
- Implement web application firewall (WAF) rules to detect enumeration attempts targeting quiz endpoints
- Review server logs for patterns indicating quiz ID enumeration or brute-force access attempts
- Alert on file upload events associated with quiz submissions that lack valid user authentication
Monitoring Recommendations
- Enable detailed logging for the QSM plugin directory and REST API interactions
- Configure SIEM alerts for anomalous quiz access patterns, particularly to protected content
- Implement rate limiting on quiz-related API endpoints to slow enumeration attempts
- Regularly audit uploaded files in quiz response directories for unauthorized submissions
How to Mitigate CVE-2025-9637
Immediate Actions Required
- Update the Quiz and Survey Master plugin to a version newer than 10.3.1 that includes the security patch
- Audit existing quiz configurations to identify sensitive content that may have been exposed
- Review server logs for evidence of exploitation attempts or unauthorized access
- Temporarily disable file upload functionality in quiz questions until patched
Patch Information
The vulnerability affects all versions of Quiz and Survey Master up to and including 10.3.1. Site administrators should update to the latest patched version available in the WordPress plugin repository. Additional vulnerability details and patch status can be found in the Wordfence Vulnerability Report.
Workarounds
- Implement web application firewall rules to restrict unauthenticated access to QSM REST API endpoints
- Use server-level access controls to limit API access to authenticated users only
- Disable any quizzes containing sensitive information until the plugin can be updated
- Consider temporarily deactivating the QSM plugin if sensitive quiz data is at risk and immediate patching is not possible
# Example: Block unauthenticated access to QSM REST API in .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/qsm/ [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
