Authorization Bypass Vulnerability in Quiz and Survey Master Plugin for WordPress
CVE-2026-9230

4.3MEDIUM

What is CVE-2026-9230?

The Quiz and Survey Master plugin for WordPress suffers from an authorization bypass vulnerability that affects all versions up to and including 11.1.4. This issue arises from the plugin's failure to adequately verify user permissions for specific actions. Authenticated users with contributor-level roles or higher can exploit this flaw to access and modify quizzes they do not own, overwrite results pages, and divert notification emails to their own addresses. Attackers can leverage this vulnerability by manipulating the /quiz/structure endpoint to retrieve a valid nonce linked to a target quiz ID, enabling unauthorized actions without proper ownership checks.

Affected Version(s)

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker 0 <= 11.1.4

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kirasec
.