CVE-2025-10493

MEDIUM

Chained Quiz <1.3.4 - Insecure Direct Object Reference

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10493. PoCs published by 0xsabre.

AI-analyzed exploit summary The exploit describes an Insecure Direct Object Reference (IDOR) vulnerability in the Chained Quiz WordPress plugin, allowing unauthenticated attackers to manipulate quiz results by tampering with the completion_id cookie.

Description

The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5.

Exploits (1)

exploitdb WRITEUP
by 0xsabre · textwebappsmultiple
https://www.exploit-db.com/exploits/52464

The exploit describes an Insecure Direct Object Reference (IDOR) vulnerability in the Chained Quiz WordPress plugin, allowing unauthenticated attackers to manipulate quiz results by tampering with the completion_id cookie.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Chained Quiz WordPress plugin <= 1.3.3
No auth needed
Prerequisites: Access to the target WordPress site with the vulnerable plugin installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 5.3
EPSS 0.0400
EPSS Percentile 88.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (1)
prasunsen/Chained Quiz < 1.3.5
Published Sep 18, 2025
Tracked Since Feb 18, 2026