WordPress Plugin Vulnerabilities
Quiz And Survey Master < 11.1.3 - Unauthenticated User Enumeration and Password Oracle via Quiz Login
Description
The plugin does not implement rate limiting or standard failed-login auditing on its front-end credential-check functionality and returns distinct responses for valid and invalid accounts, allowing unauthenticated attackers to enumerate valid usernames and to brute-force passwords while bypassing brute-force protection plugins.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ahmad Mubarak Alanazi
Submitter
Ahmad Mubarak Alanazi
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-07-06 (about 2 days ago)
Added
2026-07-06 (about 1 day ago)
Last Updated
2026-07-06 (about 1 day ago)