WordPress Plugin Vulnerabilities

Quiz And Survey Master < 7.3.7 - Multiple Author+ IDOR

Description

The plugin does not properly check for authorisation, which could allow users with a role as low as author to perform unauthorised actions, such as delete and duplicate quiz they should not be able to

Affects Plugins

Plugin icon
quiz-master-next
Fixed in 7.3.7

References

CVE
CVE-2021-36906

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Vlad Vector
Verified
No
WPVDB ID
49b1282b-21ae-45f3-bbe7-6ac2a7cdd340

Timeline

Publicly Published
2022-10-21 (about 3 years ago)
Added
2022-11-03 (about 3 years ago)
Last Updated
2022-11-03 (about 3 years ago)

Other

Published
Title
Published
2024-04-22
Title
ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.0 - Insecure Direct Object Reference
Published
2025-07-21
Title
WP JobHunt <= 7.2 - Subscriber+ Arbitrary Account Deletion via IDOR
Published
2026-01-02
Title
Sweet Jane <= 1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-09-01
Title
Miraculous Core < 2.0.9 - Unauthenticated Insecure Direct Object Reference
Published
2026-01-15
Title
Membership Plugin – Restrict Content < 3.2.17 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure