CVE-2025-9294 in Quiz and Survey Master QSM Plugin
Summary
by MITRE • 01/06/2026
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/06/2026
The vulnerability identified as CVE-2025-9294 affects the Quiz and Survey Master plugin for WordPress, a widely used tool for creating interactive quizzes and surveys within WordPress environments. This plugin serves millions of users globally, making its security implications particularly significant. The vulnerability resides in the qsm_dashboard_delete_result function, which fails to properly validate user permissions before executing deletion operations on quiz results. The flaw represents a critical authorization bypass issue that allows attackers with minimal privileges to perform destructive actions within the plugin's administrative interface.
The technical nature of this vulnerability stems from the absence of proper capability checks within the plugin's codebase. Specifically, the qsm_dashboard_delete_result function does not verify whether the authenticated user possesses sufficient privileges to delete quiz results. This missing authorization check creates a path for privilege escalation where users with Subscriber-level access or higher can exploit this weakness to remove quiz submissions. The vulnerability is particularly concerning because it operates within the dashboard functionality, which is typically protected by WordPress's built-in capability management system. According to CWE-284, this represents an inadequate access control mechanism where insufficient checks allow unauthorized users to perform privileged operations.
The operational impact of this vulnerability extends beyond simple data loss, as it enables attackers to manipulate quiz data and potentially disrupt educational or business processes that depend on quiz results. Subscribers who have access to the WordPress site can leverage this vulnerability to delete valuable assessment data, undermining the integrity of the quiz system. The consequences may include loss of important user progress tracking, compromised academic records in educational settings, or corrupted business intelligence in corporate environments. This vulnerability particularly affects organizations that rely heavily on quiz data for analytics, performance tracking, or compliance reporting, as the deletion of quiz results can severely impact data integrity and audit trails.
Mitigation strategies for this vulnerability should focus on immediate patching of the affected plugin versions, with administrators urgently updating to versions that include proper capability checks. The WordPress security team recommends implementing the principle of least privilege by ensuring that users only receive the minimum permissions necessary for their roles. Organizations should also consider implementing additional monitoring and logging mechanisms to detect unauthorized deletion activities within the quiz plugin dashboard. From an ATT&CK framework perspective, this vulnerability aligns with techniques such as privilege escalation and data destruction, emphasizing the need for robust access control measures. System administrators should conduct comprehensive security audits of all installed plugins to identify similar authorization flaws and implement network segmentation to limit the potential impact of such vulnerabilities. The vulnerability also underscores the importance of regular security assessments and maintaining updated security practices in WordPress environments.