Description
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership.
Published: 2026-07-03
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Quiz and Survey Master plugin allows an authenticated attacker with contributor-level or higher access to modify quizzes they do not own. By first calling the /quiz/structure endpoint with a victim quiz ID, the attacker obtains a nonce that is tied to that quiz and the attacker's user ID. The attacker can then submit that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership, enabling the attacker to overwrite quiz result pages and redirect quiz‑result notification emails to attacker‑controlled addresses.

Affected Systems

Various versions of the Quiz and Survey Master plugin for WordPress, from the plugin’s introduction up through version 11.1.4, are affected. The issue originates in the /quiz/structure and /quizzes/{id}/emails save REST API endpoints, regardless of the plugin’s configuration. This vulnerability specifically impacts installations where the WordPress user role system grants at least Contributor access to non‑admin users.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity for authenticated attackers. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated WordPress user with Contributor or higher role and an existing quiz; the attacker obtains a valid nonce from the /quiz/structure endpoint and then submits it to the /quizzes/{id}/emails save endpoint, bypassing ownership checks. Once this is achieved, the attacker can alter quiz content and redirect notification emails, potentially facilitating phishing or spam campaigns.

Generated by OpenCVE AI on July 4, 2026 at 09:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quiz and Survey Master plugin to a version newer than 11.1.4 that addresses the authorization bypass.
  • Restrict contributor‑level access for users that do not require quiz editing permission to minimize the attack surface.
  • Monitor and audit quiz‑related REST API activity for abnormal changes and investigate any unauthorized modifications promptly.

Generated by OpenCVE AI on July 4, 2026 at 09:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress
Wordpress wordpress
Vendors & Products Expresstech
Expresstech quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress
Wordpress wordpress

Fri, 03 Jul 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership.
Title Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Quiz Modification and Email Reroute via Leaked Nonce from /quiz/structure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Expresstech Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-03T06:50:11.170Z

Reserved: 2026-05-21T18:35:49.663Z

Link: CVE-2026-9230

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-04T09:30:16Z

Weaknesses