Description
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.
Published: 2026-01-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of quiz results leading to data loss
Action: Patch
AI Analysis

Impact

The QSM plugin lacks a capability check on the qsm_dashboard_delete_result function. As a result, any authenticated user with Subscriber-level access or higher can invoke this function and delete quiz results stored by the plugin. This vulnerability enables loss of user data but does not grant broader system compromise or privilege escalation. The primary impact is integrity loss of quiz result data.

Affected Systems

The issue affects the ExpressTech Quiz and Survey Master WordPress plugin, versions 10.3.1 and earlier.

Risk and Exploitability

The CVSS score of 4.3 categorizes this deficiency as moderate severity. An EPSS score below 1% suggests that exploitation is unlikely in the general population, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated WordPress account with at least Subscriber role, so attackers must first compromise or gain access to a legitimate user account. Once authenticated, they can run the deletion action without additional privileges, making the attack path straightforward for insiders or users who have shared credentials.

Generated by OpenCVE AI on April 21, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Quiz and Survey Master to the latest version (10.3.2 or newer) which removes the missing capability check.
  • If an immediate update is not possible, remove the 'qsm_dashboard_delete_result' capability from the Subscriber role by creating a custom role or using a role editor plugin, preventing subscribers from deleting results.
  • Review existing quiz result data and restore from backups if data loss has occurred.
  • Monitor the plugin's audit logs or WordPress activity logs for unexpected calls to the result deletion function.

Generated by OpenCVE AI on April 21, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
CPEs cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:*

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress
Vendors & Products Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.
Title Quiz And Survey Master <= 10.3.1 - Missing Authorization to Authenticated (Subscriber+) Quiz Results Deletion
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Expresstech Quiz And Survey Master
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:30.434Z

Reserved: 2025-08-20T22:35:45.725Z

Link: CVE-2025-9294

cve-icon Vulnrichment

Updated: 2026-01-06T14:30:08.788Z

cve-icon NVD

Status : Modified

Published: 2026-01-06T09:15:55.077

Modified: 2026-04-08T18:25:26.363

Link: CVE-2025-9294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses