Quiz Maker Plugin up to 6.7.0.80 on WordPress ays_quiz_check_answer information disclosure

Summaryinfo

A vulnerability classified as problematic has been found in Quiz Maker Plugin up to 6.7.0.80 on WordPress. This impacts the function ays_quiz_check_answer. The manipulation leads to information disclosure. This vulnerability is documented as CVE-2025-12426. The attack can be initiated remotely. There is not any exploit available.

Detailsinfo

A vulnerability was found in Quiz Maker Plugin up to 6.7.0.80 on WordPress. It has been rated as problematic. This issue affects the function ays_quiz_check_answer. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:

The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization checks. The endpoint only validates a nonce, but that same nonce is publicly available to all site visitors via the quiz_maker_ajax_public localized script data. This makes it possible for unauthenticated attackers to extract sensitive data including quiz answers for any quiz question.

It is possible to read the advisory at wordfence.com. The identification of this vulnerability is CVE-2025-12426. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-198118). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• WordPress Plugin

Name

• Quiz Maker Plugin

Version

• 6.7.0.0
• 6.7.0.1
• 6.7.0.2
• 6.7.0.3
• 6.7.0.4
• 6.7.0.5
• 6.7.0.6
• 6.7.0.7
• 6.7.0.8
• 6.7.0.9
• 6.7.0.10
• 6.7.0.11
• 6.7.0.12
• 6.7.0.13
• 6.7.0.14
• 6.7.0.15
• 6.7.0.16
• 6.7.0.17
• 6.7.0.18
• 6.7.0.19
• 6.7.0.20
• 6.7.0.21
• 6.7.0.22
• 6.7.0.23
• 6.7.0.24
• 6.7.0.25
• 6.7.0.26
• 6.7.0.27
• 6.7.0.28
• 6.7.0.29
• 6.7.0.30
• 6.7.0.31
• 6.7.0.32
• 6.7.0.33
• 6.7.0.34
• 6.7.0.35
• 6.7.0.36
• 6.7.0.37
• 6.7.0.38
• 6.7.0.39
• 6.7.0.40
• 6.7.0.41
• 6.7.0.42
• 6.7.0.43
• 6.7.0.44
• 6.7.0.45
• 6.7.0.46
• 6.7.0.47
• 6.7.0.48
• 6.7.0.49
• 6.7.0.50
• 6.7.0.51
• 6.7.0.52
• 6.7.0.53
• 6.7.0.54
• 6.7.0.55
• 6.7.0.56
• 6.7.0.57
• 6.7.0.58
• 6.7.0.59
• 6.7.0.60
• 6.7.0.61
• 6.7.0.62
• 6.7.0.63
• 6.7.0.64
• 6.7.0.65
• 6.7.0.66
• 6.7.0.67
• 6.7.0.68
• 6.7.0.69
• 6.7.0.70
• 6.7.0.71
• 6.7.0.72
• 6.7.0.73
• 6.7.0.74
• 6.7.0.75
• 6.7.0.76
• 6.7.0.77
• 6.7.0.78
• 6.7.0.79
• 6.7.0.80

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion