Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker < 10.3.5 – Missing Authorization | CVE 2026-25329 | Plugin Vulnerabilities

Description

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 10.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

quiz-master-next

Fixed in 10.3.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2368e46a-022c-4829-80f1-7d010e8587ed

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Mohammad Amin Hajian (mamadrce)

Verified

No

WPVDB ID

a5d88072-8e76-42e6-919c-93eb3085e75a

Timeline

Publicly Published

2026-02-05 (about 4 months ago)

Added

2026-05-04 (about 1 month ago)

Last Updated

2026-05-04 (about 1 month ago)

Other

Published

Title

Published

2025-03-04

Title

JNews - WordPress Newspaper Magazine Blog AMP Theme < 11.6.7 - Unauthorized User Registration

Published

2025-04-17

Title

BERTHA AI < 1.12.11 - Authenticated (Subscriber+) Arbitrary Content Deletion

Published

2026-02-21

Title

linkPizza-Manager < 5.6.0 - Missing Authorization

Published

2024-04-05

Title

Church Admin < 4.1.7 - Missing Authorization

Published

2024-11-18

Title

de:branding <= 1.0.2 - Privilege Escalation