Insecure Direct Object Reference in Chained Quiz Plugin for WordPress
CVE-2025-10493

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Chained Quiz
Vendor: CVE Published:; 18 September 2025

What is CVE-2025-10493?

The Chained Quiz plugin for WordPress has a vulnerability that allows unauthorized users to exploit the quiz submission and completion mechanisms. This is due to a lack of proper validation on a user-controlled parameter, specifically the chained_completion_id cookie. By manipulating this parameter, attackers can hijack quiz attempts, modify user submissions, and alter quiz outcomes without any authentication. While a partial fix was implemented in subsequent versions, maintaining updated software is essential to safeguard against potential exploits.

Affected Version(s)

Chained Quiz * <= 1.3.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/chained-quiz/t...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 18, 2025
Vulnerability Reserved
Sep 15, 2025

Credit

Karuppiah Sabari Kumar

JSON