CVE-2024-1078 in Quiz Maker Plugininfo

Summary

by MITRE • 02/07/2024

The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-1078 affects the Quiz Maker plugin for WordPress, specifically targeting versions up to and including 6.5.2.4. This security flaw represents a critical authorization bypass issue that undermines the plugin's data integrity controls. The vulnerability stems from insufficient capability checks within two key functions: ays_quick_start() and add_question_rows(). These functions are designed to handle quiz creation and question management operations, but they fail to validate whether the requesting user possesses appropriate permissions to perform these actions. The absence of proper access control mechanisms creates a pathway for authenticated attackers to manipulate quiz data without proper authorization, fundamentally compromising the plugin's security model.

The technical implementation of this vulnerability demonstrates a classic lack of input validation and privilege enforcement within WordPress plugin architecture. When authenticated users with subscriber-level access or higher invoke the affected functions, the system processes their requests without verifying their administrative privileges or specific quiz creation permissions. This flaw directly violates the principle of least privilege and demonstrates poor security implementation practices. The vulnerability affects the core data modification capabilities of the plugin, allowing attackers to create arbitrary quizzes that could contain malicious content or be used to manipulate quiz results. From a cybersecurity perspective, this represents a significant risk as it enables attackers to potentially inject harmful data into the quiz system and potentially compromise the integrity of educational or assessment content.

The operational impact of CVE-2024-1078 extends beyond simple data modification, creating potential risks for organizations relying on the Quiz Maker plugin for educational or corporate training purposes. Attackers could exploit this vulnerability to insert misleading quiz content, manipulate assessment results, or even create quizzes that could serve as vectors for further attacks. The vulnerability affects all user roles with subscriber-level access or higher, which is particularly concerning given that subscribers are typically the lowest privileged users in WordPress systems. This means that even users who should have minimal access to system functions could potentially exploit this flaw to gain unauthorized control over quiz creation processes. The impact is further amplified by the fact that quizzes often contain sensitive information, making this vulnerability particularly dangerous in environments where data confidentiality and integrity are paramount.

Organizations using the Quiz Maker plugin should immediately implement mitigation strategies to address this vulnerability. The primary recommendation involves updating to the latest version of the plugin where the capability checks have been properly implemented. Security teams should also consider implementing additional monitoring and access controls to detect unauthorized quiz creation activities. From a compliance standpoint, this vulnerability could potentially violate various security standards including those outlined in the CWE catalog under weakness category 284, which addresses improper access control. The ATT&CK framework would classify this vulnerability under privilege escalation techniques, specifically targeting the 'Abuse Elevation of Privilege' tactic. Organizations should also consider implementing network segmentation and access control policies to limit the potential impact of such vulnerabilities, ensuring that even if an attacker gains access through this route, the damage is contained and monitored effectively.

Responsible

Wordfence

Reservation

01/30/2024

Disclosure

02/07/2024

Moderation

accepted

CPE

ready

EPSS

0.00359

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!