CVE-2025-12426
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ays-pro | quiz_maker | to 6.7.0.81 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Quiz Maker plugin for WordPress allows unauthenticated attackers to access sensitive information, specifically quiz answers. This happens because the plugin exposes quiz answers through an AJAX action called ays_quiz_check_answer without proper authorization checks. Although the endpoint validates a nonce, this nonce is publicly available to all site visitors, enabling attackers to extract quiz answers for any quiz question.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of quiz answers, which may compromise the integrity of quizzes and assessments. Attackers can obtain correct answers without permission, potentially undermining the purpose of quizzes, affecting user trust, and damaging the reputation of the website or organization using the plugin.