WordPress Plugin Vulnerabilities

QSM < 10.2.3 - Template Creation via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
quiz-master-next
Fixed in 10.2.3

References

CVE
CVE-2025-6790
URL
https://research.cleantalk.org/cve-2025-6790

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/
Verified
Yes
WPVDB ID
af337f9f-c955-49eb-9675-2f85da96fcfe

Timeline

Publicly Published
2025-07-24 (about 5 months ago)
Added
2025-07-24 (about 5 months ago)
Last Updated
2025-07-24 (about 5 months ago)

Other

Published
Title
Published
2025-10-21
Title
Bard < 1.7 - Cross-Site Request Forgery
Published
2024-01-05
Title
WooCommerce < 8.3.0 - Cross-Site Request Forgery
Published
2025-10-02
Title
Notification Bar <= 2.2 - Cross-Site Request Forgery
Published
2022-03-28
Title
Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
Published
2023-11-03
Title
Email Templates < 1.4.3 - Email Sending via CSRF