CVE-2025-9294

MEDIUM4.3

Quiz And Survey Master <= 10.3.1 - Missing Authorization to Authenticated (Subscriber+) Quiz Results Deletion

Published Jan 6, 2026

Modified 1 weeks ago

No fix available

Details

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.

References

WEBhttps://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/admin/options-page-questions-tab.php#L1116 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-9294 WEBhttps://www.wordfence.com/threat-intel/vulnerabilities/id/55895508-d0ef-4855-8d15-b8a45ba0dcb2?source=cve

CVSS Analysis

CVSS v3.1

4.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

LowI:L

Availability

NoneA:N

4.3/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Weakness Type (CWE)

Other

CWE-285

Ecosystems

Timeline

PublishedJan 6, 2026

ModifiedJan 6, 2026