CVE-2025-49401
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| expresstech_systems | quiz_and_survey_master | 10.2.5 |
| expresstech_systems | quiz_and_survey_master | 10.2.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a PHP Object Injection issue in the WordPress Quiz And Survey Master Plugin (up to version 10.2.5). It allows unauthenticated attackers to inject malicious objects during deserialization of untrusted data, potentially enabling them to execute arbitrary code, perform SQL injection, path traversal, denial of service, and other attacks if a suitable PHP Object Injection Property Oriented Programming (POP) chain is available. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to severe impacts including arbitrary code execution, unauthorized database access via SQL injection, file system access through path traversal, denial of service, and other malicious activities. This can compromise the security and availability of your website and data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WordPress Quiz And Survey Master Plugin version is 10.2.5 or earlier. Since this is a PHP Object Injection vulnerability, direct detection via simple commands is challenging. Users are advised to check the plugin version installed on their WordPress site. Additionally, monitoring for unusual behavior such as unexpected code execution, SQL injection attempts, or path traversal activities may help. However, plugin-based malware scanners may be unreliable for this vulnerability. No specific detection commands are provided. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack virtual patch (vPatch) which automatically blocks attacks targeting this vulnerability until the plugin is updated. The most effective mitigation is to update the Quiz And Survey Master Plugin to version 10.2.6 or later, where the vulnerability is fixed. Users should also consider enabling auto-update features for the plugin to ensure timely patching. If a website is suspected to be compromised, professional incident response services are recommended. [1]