WordPress Plugin Vulnerabilities

Quiz And Survey Master < 10.3.2 - Subscriber+ Quiz Results Deletion

Description

The plugin is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.

Affects Plugins

Plugin icon
quiz-master-next
Fixed in 10.3.2

References

CVE
CVE-2025-9294
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/55895508-d0ef-4855-8d15-b8a45ba0dcb2

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
6edd9a13-d76d-4797-b3ca-d4565d2cb70b

Timeline

Publicly Published
2026-01-05 (about 5 months ago)
Added
2026-01-06 (about 5 months ago)
Last Updated
2026-01-06 (about 5 months ago)

Other

Published
Title
Published
2025-01-31
Title
Shortcodes and extra features for Phlox theme < 2.17.5 - Missing Authorization
Published
2025-10-06
Title
Table Block by RioVizual <= 3.0.0 - Missing Authorization
Published
2024-03-11
Title
LadiApp <= 4.4 - Missing Authorization via save_config()
Published
2025-06-19
Title
WP Customer Area <= 8.3.4 - Missing Authorization
Published
2025-12-31
Title
Signature Add-On for Gravity Forms < 1.8.7 - Missing Authorization