CVE-2026-9233 in Quiz and Survey Master Plugin
Summary
by MITRE • 06/27/2026
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create, modify, and delete quiz output templates stored in the mlw_quiz_output_templates database table, including storing unsanitized HTML content such as arbitrary script tags.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
The Quiz and Survey Master plugin for WordPress presents a critical authorization bypass vulnerability that affects all versions through 11.1.4, representing a fundamental flaw in access control implementation. This vulnerability stems from the plugin's failure to properly validate user permissions before executing sensitive operations within the mlw_quiz_output_templates database table. The issue creates a pathway for authenticated attackers who possess contributor-level privileges or higher to circumvent intended security restrictions and perform unauthorized actions on quiz template data.
The technical nature of this flaw allows malicious users to manipulate quiz output templates through direct database interactions without proper authentication checks. When attackers exploit this vulnerability, they can create new template entries, modify existing ones, or delete templates entirely while storing unsanitized HTML content that may include embedded script tags. This presents a significant risk as the stored content bypasses WordPress's normal sanitization processes and could potentially execute malicious code within the context of other users' browsers when templates are rendered.
The operational impact of this vulnerability extends beyond simple template manipulation to create potential vectors for cross-site scripting attacks and persistent threats within the WordPress environment. Attackers can leverage this authorization bypass to inject malicious scripts into quiz templates, which would execute whenever those templates are displayed to end users. This could lead to session hijacking, data exfiltration, or further compromise of the WordPress installation through user interactions with compromised template content.
This vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and represents a clear violation of the principle of least privilege. The issue also maps to ATT&CK technique T1078.004, which covers valid accounts for lateral movement, as attackers can exploit existing contributor-level access to escalate their privileges within the plugin's functionality. Organizations should implement immediate mitigations including updating to version 11.1.5 or later, reviewing user permissions, and monitoring database activities for unauthorized template modifications.
The security implications of this flaw demonstrate how seemingly minor access control oversights can create substantial entry points for attackers seeking to compromise WordPress installations. Regular security audits of plugin components should verify proper implementation of authentication checks, particularly when dealing with database operations that modify content storage or template configurations. System administrators must ensure that all user roles have appropriate permissions and that plugins undergo thorough security validation before deployment in production environments.
Organizations utilizing QSM should conduct comprehensive assessments of their current template configurations to identify any malicious entries that may have been introduced through this vulnerability. The recommended remediation involves not only updating the plugin but also implementing additional security measures such as content filtering, database query monitoring, and regular security scanning to detect similar authorization bypass opportunities in other plugins or custom code components within the WordPress ecosystem.