CVE-2025-9294
Unknown Unknown - Not Provided
Authorization Bypass in QSM Plugin Allows Quiz Result Deletion

Publication date: 2026-01-06

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9294
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
quiz_and_survey_master qsm to 10.3.1 (inc)
quiz_master_next quiz_master_next 10.2.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access and above to delete quiz results without proper authorization checks. This unauthorized deletion of data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over data access and integrity. Specifically, the loss or manipulation of quiz result data may violate requirements for data accuracy, integrity, and auditability under these standards.

Executive Summary

This vulnerability exists in the Quiz and Survey Master (QSM) WordPress plugin up to version 10.3.1. It is caused by a missing capability check in the function qsm_dashboard_delete_result, which allows authenticated users with Subscriber-level access or higher to delete quiz results without proper authorization. [2]

Impact Analysis

An attacker with at least Subscriber-level access can exploit this vulnerability to delete quiz results, leading to unauthorized loss of data. This could disrupt data integrity and affect the reliability of quiz results stored by the plugin. [2]

Detection Guidance

This vulnerability involves unauthorized deletion of quiz results via the qsm_dashboard_delete_result function in the Quiz and Survey Master plugin for WordPress. Detection can focus on monitoring for suspicious deletion activity of quiz results, especially actions performed by users with Subscriber-level access or above. Since the vulnerability is due to a missing capability check, commands or logs that show deletion requests to the plugin's dashboard endpoint or database changes to quiz results could indicate exploitation attempts. Specific commands are not provided in the resources, but monitoring WordPress logs for AJAX or REST API calls related to 'qsm_dashboard_delete_result' or unusual deletion patterns in the 'mlw_quizzes' or related tables could help detect exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include restricting user roles to prevent Subscriber-level users from accessing quiz result deletion functions, applying updates to the Quiz and Survey Master plugin beyond version 10.3.1 once available, or disabling the plugin temporarily if updates are not yet released. Additionally, monitoring and auditing user actions related to quiz result deletions can help detect exploitation. Since the vulnerability is due to a missing capability check, ensuring proper role and capability management in WordPress can reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart