CVE-2026-24358 MEDIUM

CVE-2026-24358: WordPress Quiz And Survey Master plugin <= 10.3.3 - Broken Access Control vulnerability

Vendor Expresstech Systems

Product Quiz And Survey Master

Weakness CWE-862 · Missing authorization

Published January 22, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.3.

Explanation of Vulnerability in Simple Terms

02Summary

Quiz And Survey Master versions up to 10.3.3 lack proper authorization checks, allowing authenticated users to modify survey or quiz data they should not have access to. An attacker with a low-privilege account can alter quiz questions, answers, or survey responses. The vulnerability does not expose sensitive data or take the site offline, but compromises data integrity.

What an attacker can do

03Attacker Capabilities

Modify quiz or survey content without proper authorization.

Potential impact on your site

04Site Impact

Quiz and survey data can be altered by unauthorized users, affecting data accuracy and user trust.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

January 22, 2026 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24358 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities