CVE-2025-9637
Unauthorized Access and File Upload in QSM WordPress Plugin
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quiz_and_survey_master | qsm | to 10.3.1 (inc) |
| quiz_master_next | quiz_master_next | 10.2.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Quiz and Survey Master (QSM) WordPress plugin allows unauthenticated attackers to bypass missing capability and status checks. This enables them to access unpublished, private, or password-protected quizzes and submit file responses to quiz questions, effectively allowing unauthorized viewing and file uploads without proper permissions.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive quiz content that is meant to be private or restricted. Additionally, attackers can upload files through quiz responses, which may lead to further security risks such as malware upload or exploitation of the server hosting the plugin.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unauthorized access attempts to unpublished, private, or password-protected quizzes, and unusual file upload activities related to the Quiz and Survey Master plugin. Since the vulnerability allows unauthenticated attackers to view and submit file responses, you can check web server logs for suspicious HTTP requests targeting quiz endpoints or AJAX actions such as 'qmn_process_quiz' or file upload handlers. Commands to help detect this include using grep on web server logs to find requests to quiz-related AJAX endpoints or unusual POST requests with file uploads. For example: 1. grep 'wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep -E 'qmn_process_quiz|qsm_upload_image_fd_question' 2. grep -i 'quiz' /var/log/apache2/access.log 3. Use network monitoring tools to detect unusual POST requests to the WordPress site. Additionally, scanning the WordPress installation to verify the plugin version is at or below 10.3.1 can help identify vulnerable instances. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Quiz and Survey Master plugin to a version later than 10.3.1 where the vulnerability is fixed. 2. Restrict access to the plugin's AJAX endpoints by implementing additional access controls or firewall rules to block unauthenticated requests to sensitive AJAX actions such as quiz submissions and file uploads. 3. Temporarily disable file upload question types if possible to prevent unauthorized file uploads. 4. Monitor and audit logs for suspicious activity related to quiz access and file uploads. 5. Apply WordPress security best practices such as limiting plugin permissions and using security plugins to detect and block malicious requests. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access and modify unpublished, private, or password-protected quiz data, including uploading files. This unauthorized access and potential data exposure could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive data access and processing. Therefore, organizations using the affected plugin versions may face compliance risks due to potential data breaches or unauthorized data handling. [2]