Description
The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-27
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HD Quiz plugin for WordPress allows unauthenticated attackers to manipulate quiz content and settings through a form of Cross‑Site Request Forgery. The flaw stems from the hdq_validate_nonce function lacking proper nonce validation, enabling attackers to delete, modify, create quizzes, or change plugin settings without authorization. The primary impact is the unauthorized alteration of site data and configuration, potentially affecting the integrity of quizzes and user experience.

Affected Systems

Any WordPress site running HD Quiz versions 2.2.0 or 2.2.1 is affected. Vendors Harmonic Design released the plugin under the name HD Quiz, and these specific minor releases are vulnerable. No other specific versions are listed as impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, indicating moderate severity. EPSS data is not available, and the issue is not listed in CISA KEV. A likely attack vector requires an administrator or a user with administrative privileges to unknowingly follow a crafted link or submit a forged request, giving attackers the ability to send malicious AJAX requests. Exploitation thus depends on social engineering or compromised credentials.

Generated by OpenCVE AI on June 27, 2026 at 04:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HD Quiz plugin to version 2.2.2 or later, which removes the faulty nonce checks on AJAX handlers.
  • If an upgrade is not immediately possible, disable or remove the plugin’s AJAX handlers to prevent unauthorized requests from being processed.
  • Restrict access to the site’s admin area by enabling two‑factor authentication and limiting admin users to trusted accounts, reducing the risk of credential compromise that could trigger the CSRF.

Generated by OpenCVE AI on June 27, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php#L155 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php#L179 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php#L53 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php#L68 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php#L7 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php#L87 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/functions.php#L39 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php#L155 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php#L179 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php#L53 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php#L68 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php#L7 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php#L87 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/functions.php#L39 cve-icon
https://plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.2/includes/functions.php#L40 cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/c886ce5a-0633-4892-9471-c1a7ee858c93?source=cve cve-icon
History

Sat, 27 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title HD Quiz 2.2.0 - 2.2.1 - Cross-Site Request Forgery via Multiple AJAX Handlers
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-27T01:27:22.484Z

Reserved: 2026-06-26T12:56:05.661Z

Link: CVE-2026-13422

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T04:15:10Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)