The Proctorio Chrome Extension registers multiple window.addEventListener('message', ...) handlers that do not validate the origin of the event. Incoming messages are processed only if a fromWebsite property is present, and the event.origin attribute is ignored. This flaw means that any web page, malicious or compromised, can send crafted postMessage events to the extension, potentially causing the extension to perform unintended actions, reveal confidential information, or alter its internal state. The weakness corresponds to CWE‑346: Insufficient Verification of the Origin of a Message.

All users of the Proctorio Secure Exam Proctor Extension are affected; no specific product versions are listed, suggesting that every released version containing the described handlers is vulnerable.

The CVSS score of 3.6 classifies the vulnerability as low severity. The EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not currently included in CISA’s Known Exploited Vulnerabilities catalog. Exploit requires a user to have the Proctorio extension installed and a malicious website or script capable of sending postMessage events to the extension, which is possible through a normal browsing session. While the attack vector is remote, the lack of origin checks allows attackers to bypass normal browser restrictions and inject messages into the extension’s context.