Description
The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5.
Published: 2025-09-18
Score: 5.3 Medium
EPSS: 4.0% Low
KEV: No
Impact: Unauthenticated direct object reference permitting attackers to hijack and alter other users’ quiz attempts, answers, scores, and results
Action: Apply Latest Patch
AI Analysis

Impact

The Chained Quiz plugin for WordPress contains an insecure direct object reference flaw because it accepts a user‑controlled value in the chained_completion_id cookie without validating that the cookie refers to a quiz attempt belonging to the current visitor. An attacker who sets this cookie to any identifier can make the plugin load the corresponding attempt as if the visitor were that user, thereby viewing and permanently changing the answers, scores, and final results of other users. This vulnerability does not grant remote code execution, but it compromises the confidentiality and integrity of quiz data relied upon by the site.

Affected Systems

WordPress sites that have installed the Chained Quiz plugin from the prasunsen developer with version 1.3.4 or earlier are affected. Versions 1.3.4 and 1.3.5 contain only a partial patch and are likely still vulnerable, so sites using these releases should treat them as compromised. The plugin is available through the official WordPress repository and has been noted in Wordfence vulnerability notices.

Risk and Exploitability

The flaw has a CVSS score of 5.3, signalling moderate severity for an unauthenticated exploit. An EPSS score of 3% indicates a low but non‑zero likelihood of exploitation in the wild; it is not listed in the CISA KEV catalog. The attack path is straightforward: an unauthenticated user merely needs to set a crafted chained_completion_id cookie and send the request to the target. No additional privileges or conditions are required, and the impact is limited to the data integrity and confidentiality of quiz attempts for all site users.

Generated by OpenCVE AI on April 22, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the Chained Quiz plugin with the latest stable release that fully fixes the input validation flaw
  • If no newer version is immediately available, remove or deactivate the plugin to block exploitation
  • Add server‑side validation that ensures the chained_completion_id cookie value matches an existing quiz attempt record for the authenticated user or is otherwise rejected before any quiz data is accessed or altered

Generated by OpenCVE AI on April 22, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29846 The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5.
History

Thu, 18 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Sep 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5.
Title Chained Quiz <= 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:38.202Z

Reserved: 2025-09-15T17:13:39.985Z

Link: CVE-2025-10493

cve-icon Vulnrichment

Updated: 2025-09-18T13:54:55.439Z

cve-icon NVD

Status : Deferred

Published: 2025-09-18T07:15:59.390

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key