CVE-2025-9637

MEDIUM

Quiz and Survey Master (QSM) <= 10.3.1 - Unauthenticated Unpublished Quiz Access and File Upload

Title source: llm

Description

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload.

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L1987

Product

https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L281

Product

https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/88a9abf4-62a9-4695-87e7-18ff0b0075e9?source=cve

Scores

CVSS v3 6.5

EPSS 0.0023

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

expresstech/Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker < 10.3.1

expresstech/quiz_and_survey_master < 10.3.2

Published Jan 06, 2026

Tracked Since Feb 18, 2026