The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin for WordPress contains an insecure direct object reference flaw that allows an authenticated user with the custom-level role or higher to supply a rule_id, quiz_id, or item_id parameter that is not properly validated. This flaw enables the attacker to modify or delete quiz rules owned by other teachers. While it does not enable code execution or data exfiltration, the integrity of assessment data is compromised, which could affect grading correctness and the trustworthiness of the learning platform.

WordPress sites that have installed the PressPrimer Quiz plugin in any version up to and including 2.3.0 are affected. Any user with custom-level privileges—typically teachers or administrators—can exploit the flaw if the REST API endpoints are accessible. Sites that host user‑generated content via quizzes of this plugin are therefore at risk.

The CVSS score of 4.3 places the issue in the moderate severity range, and the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. Because only authenticated users can exploit the flaw, the attack vector is essentially internal or relies on compromised credentials. Nonetheless, the potential to alter other users’ quiz configurations warrants prompt attention.