CVE-2025-9294
Authorization Bypass in QSM Plugin Allows Quiz Result Deletion
Publication date: 2026-01-06
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quiz_and_survey_master | qsm | to 10.3.1 (inc) |
| quiz_master_next | quiz_master_next | 10.2.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Subscriber-level access and above to delete quiz results without proper authorization checks. This unauthorized deletion of data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over data access and integrity. Specifically, the loss or manipulation of quiz result data may violate requirements for data accuracy, integrity, and auditability under these standards.
Can you explain this vulnerability to me?
This vulnerability exists in the Quiz and Survey Master (QSM) WordPress plugin up to version 10.3.1. It is caused by a missing capability check in the function qsm_dashboard_delete_result, which allows authenticated users with Subscriber-level access or higher to delete quiz results without proper authorization. [2]
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can exploit this vulnerability to delete quiz results, leading to unauthorized loss of data. This could disrupt data integrity and affect the reliability of quiz results stored by the plugin. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized deletion of quiz results via the qsm_dashboard_delete_result function in the Quiz and Survey Master plugin for WordPress. Detection can focus on monitoring for suspicious deletion activity of quiz results, especially actions performed by users with Subscriber-level access or above. Since the vulnerability is due to a missing capability check, commands or logs that show deletion requests to the plugin's dashboard endpoint or database changes to quiz results could indicate exploitation attempts. Specific commands are not provided in the resources, but monitoring WordPress logs for AJAX or REST API calls related to 'qsm_dashboard_delete_result' or unusual deletion patterns in the 'mlw_quizzes' or related tables could help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting user roles to prevent Subscriber-level users from accessing quiz result deletion functions, applying updates to the Quiz and Survey Master plugin beyond version 10.3.1 once available, or disabling the plugin temporarily if updates are not yet released. Additionally, monitoring and auditing user actions related to quiz result deletions can help detect exploitation. Since the vulnerability is due to a missing capability check, ensuring proper role and capability management in WordPress can reduce risk. [1]