Authorization Bypass Vulnerability in Quiz and Survey Master Plugin for WordPress
CVE-2026-9230
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 July 2026
What is CVE-2026-9230?
The Quiz and Survey Master plugin for WordPress suffers from an authorization bypass vulnerability that affects all versions up to and including 11.1.4. This issue arises from the plugin's failure to adequately verify user permissions for specific actions. Authenticated users with contributor-level roles or higher can exploit this flaw to access and modify quizzes they do not own, overwrite results pages, and divert notification emails to their own addresses. Attackers can leverage this vulnerability by manipulating the /quiz/structure endpoint to retrieve a valid nonce linked to a target quiz ID, enabling unauthorized actions without proper ownership checks.
Affected Version(s)
Quiz and Survey Master (QSM) β Easy Quiz and Survey Maker 0 <= 11.1.4