CVE-2026-10623 Overview
CVE-2026-10623 affects the PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin for WordPress. The plugin contains an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in all versions up to and including 2.3.0. The flaw resides in the rule_id parameter, which lacks validation on a user-controlled key. Authenticated attackers with custom-level access or above can modify or delete quiz rules belonging to other teachers, resulting in unauthorized tampering of another user's quiz structure.
Critical Impact
Authenticated users with custom-level access can tamper with or delete quiz rules owned by other instructors, compromising assessment integrity across multi-teacher WordPress learning environments.
Affected Products
- PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin for WordPress
- All plugin versions up to and including 2.3.0
- WordPress installations using the plugin's REST API endpoints in class-ppq-rest-controller.php
Discovery Timeline
- 2026-06-18 - CVE-2026-10623 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-10623
Vulnerability Analysis
The vulnerability is an Insecure Direct Object Reference in the PressPrimer Quiz plugin's REST API. The plugin exposes endpoints that accept a rule_id parameter identifying a quiz rule object. The controller code in class-ppq-rest-controller.php processes requests against these identifiers without verifying that the authenticated user actually owns the referenced rule.
An authenticated attacker with custom-level permissions or higher can substitute arbitrary rule_id values into requests. The plugin then executes the requested modification or deletion against rules owned by other teachers. This breaks the multi-tenant ownership model the plugin advertises to instructors managing separate quizzes.
The affected endpoints span multiple lines of the REST controller, including the rule management routines at lines 434, 1703, 1786, 1813, 1860, 1923, and 1963 in the 2.1.0 and 2.2.2 release branches. See the Wordfence Vulnerability Report for the full endpoint inventory.
Root Cause
The root cause is missing authorization on a user-controlled key. The REST controller treats the rule_id value as a trusted reference and skips an ownership check against the calling user. The plugin does not enforce that the supplied rule belongs to the requester's quizzes before performing write or delete operations.
Attack Vector
Exploitation requires an authenticated WordPress session at custom-level access or above. The attacker sends a crafted REST API request specifying a rule_id belonging to another teacher's quiz. The vulnerable handler proceeds with the modification or deletion. No user interaction from the victim is needed.
// Patch reference from pressprimer-quiz.php
// Source: https://github.com/PressPrimer/pressprimer-quiz/commit/1795687
* Plugin Name: PressPrimer Quiz
* Plugin URI: https://pressprimer.com/quiz
* Description: Enterprise-grade quiz and assessment platform for educators with AI question generation, LMS integration, and modern themes.
- * Version: 2.3.0
+ * Version: 2.3.1
* Requires at least: 6.4
* Requires PHP: 7.4
* Author: PressPrimer
The commit message describes the fix as enforcing quiz ownership on all quiz items and quiz rules REST endpoints. See the GitHub Commit Details for the full diff.
Detection Methods for CVE-2026-10623
Indicators of Compromise
- REST API requests targeting PressPrimer Quiz endpoints with rule_id values not associated with the authenticated user's own quizzes.
- Unexpected modification or deletion of quiz rules reported by instructors who did not initiate the change.
- Audit log gaps where rule changes lack a matching authoring action by the rule's legitimate owner.
Detection Strategies
- Inspect WordPress access logs for POST, PUT, and DELETE calls against the plugin's REST routes in class-ppq-rest-controller.php.
- Correlate the WordPress user ID making the request with the database owner of the referenced rule_id to flag cross-owner activity.
- Alert on custom-role accounts performing bulk rule operations across multiple teacher accounts in a short window.
Monitoring Recommendations
- Enable verbose REST API logging on WordPress sites running the PressPrimer Quiz plugin.
- Monitor the plugin's installed version and confirm upgrades to 2.3.1 or later across all environments.
- Track creation of new custom-level WordPress accounts that could be abused to reach the vulnerable endpoints.
How to Mitigate CVE-2026-10623
Immediate Actions Required
- Update the PressPrimer Quiz plugin to version 2.3.1 or later, which enforces ownership checks on all quiz items and quiz rules REST endpoints.
- Audit existing quiz rules for unauthorized modifications or deletions since the plugin was installed.
- Review custom-level and higher WordPress accounts and remove any that are not strictly required.
Patch Information
The vendor released version 2.3.1 containing commit 1795687, described as "fix: enforce quiz ownership on all quiz items and quiz rules REST endpoints." The patch updates the plugin header from Version: 2.3.0 to Version: 2.3.1 and the readme Stable tag accordingly. Apply this update through the WordPress plugin dashboard or via WP-CLI.
Workarounds
- Temporarily restrict custom-level and contributor-equivalent roles from accessing the plugin's REST routes using a web application firewall rule.
- Limit account creation and downgrade unnecessary teacher accounts until the patched version is deployed.
- Back up the WordPress database before applying the update so that any tampered rules can be restored.
# Upgrade the PressPrimer Quiz plugin to the patched release using WP-CLI
wp plugin update pressprimer-quiz --version=2.3.1
wp plugin get pressprimer-quiz --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
