WordPress Plugin Vulnerabilities

Quiz And Survey Master < 11.1.3 - Unauthenticated User Enumeration and Password Oracle via Quiz Login

Description

The plugin does not implement rate limiting or standard failed-login auditing on its front-end credential-check functionality and returns distinct responses for valid and invalid accounts, allowing unauthenticated attackers to enumerate valid usernames and to brute-force passwords while bypassing brute-force protection plugins.

Proof of Concept

Affects Plugins

Fixed in 11.1.3

References

Classification

Type
SENSITIVE DATA DISCLOSURE
CWE

Miscellaneous

Original Researcher
Ahmad Mubarak Alanazi
Submitter
Ahmad Mubarak Alanazi
Submitter twitter
Verified
Yes

Timeline

Publicly Published
2026-07-06 (about 2 days ago)
Added
2026-07-06 (about 1 day ago)
Last Updated
2026-07-06 (about 1 day ago)

Other