CVE-2026-9230 in Quiz and Survey Master Plugin
Summary
by MITRE • 07/03/2026
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/03/2026
The Quiz and Survey Master plugin for WordPress represents a widely used tool for creating interactive quizzes and surveys within web applications, yet it contains a critical authorization bypass vulnerability that undermines the security model of the platform. This vulnerability affects all versions up to and including 11.1.4, exposing a fundamental flaw in how the plugin handles user permissions and access control mechanisms. The issue stems from inadequate verification processes that fail to properly validate whether authenticated users possess legitimate authorization to perform specific actions within the plugin's framework.
The technical implementation of this vulnerability exploits a nonce-based authentication system that incorrectly validates user permissions when processing quiz-related operations. Attackers with contributor-level access or higher can manipulate the plugin's API endpoints by first retrieving a valid nonce from the /quiz/structure endpoint using an arbitrary quiz ID belonging to another user. This nonce, which is bound to both the specific quiz ID and the attacker's user account, can then be submitted to the /quizzes/{id}/emails save endpoint without proper verification of quiz ownership. The flaw lies in the plugin's failure to cross-check that the requesting user has legitimate authorization to modify the target quiz, creating a pathway for unauthorized modifications.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it allows attackers to perform multiple malicious actions within the compromised system. Contributors and higher-privileged users can modify quizzes they do not own, potentially altering quiz content, questions, or scoring mechanisms to manipulate results. The vulnerability also enables attackers to overwrite quiz results pages, which could contain sensitive information or be used to redirect users to malicious destinations. Additionally, the ability to reroute quiz-result notification emails to attacker-controlled addresses creates opportunities for phishing attacks, data exfiltration, and social engineering campaigns that exploit the trust associated with legitimate quiz notifications.
This vulnerability aligns with CWE-285, which describes improper authorization in software systems, and represents a classic example of insufficient access control validation. From an ATT&CK framework perspective, the vulnerability maps to privilege escalation techniques where attackers leverage existing user credentials to perform unauthorized actions within applications. The attack vector specifically relates to T1078 Valid Accounts and T1566 Phishing, as it allows for both unauthorized access to quiz functionality and manipulation of notification systems that could be used for further social engineering campaigns. Organizations using this plugin face significant risks including data integrity compromise, unauthorized content modification, and potential exposure of sensitive user information through manipulated notification channels.
The recommended mitigation approach involves immediate patching to the latest available version of the Quiz and Survey Master plugin where this authorization bypass has been resolved. System administrators should also implement additional monitoring controls around API endpoint access patterns, particularly focusing on unusual nonce usage and cross-user quiz modifications. Role-based access control enforcement should be strengthened through WordPress's built-in capabilities, ensuring that users cannot modify content they do not own regardless of the plugin's vulnerabilities. Organizations should consider implementing network-level restrictions to limit access to sensitive endpoints and maintain detailed audit logs of all quiz-related modifications for security analysis purposes.