Impact
The vulnerability in the Quiz and Survey Master plugin allows an authenticated attacker with contributor-level or higher access to modify quizzes they do not own. By first calling the /quiz/structure endpoint with a victim quiz ID, the attacker obtains a nonce that is tied to that quiz and the attacker's user ID. The attacker can then submit that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership, enabling the attacker to overwrite quiz result pages and redirect quiz‑result notification emails to attacker‑controlled addresses.
Affected Systems
Various versions of the Quiz and Survey Master plugin for WordPress, from the plugin’s introduction up through version 11.1.4, are affected. The issue originates in the /quiz/structure and /quizzes/{id}/emails save REST API endpoints, regardless of the plugin’s configuration. This vulnerability specifically impacts installations where the WordPress user role system grants at least Contributor access to non‑admin users.
Risk and Exploitability
The CVSS score of 4.3 indicates moderate severity for authenticated attackers. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated WordPress user with Contributor or higher role and an existing quiz; the attacker obtains a valid nonce from the /quiz/structure endpoint and then submits it to the /quizzes/{id}/emails save endpoint, bypassing ownership checks. Once this is achieved, the attacker can alter quiz content and redirect notification emails, potentially facilitating phishing or spam campaigns.
OpenCVE Enrichment