CVE-2026-25329 MEDIUM

CVE-2026-25329: WordPress Quiz And Survey Master plugin <= 10.3.4 - Broken Access Control vulnerability

Vendor Expresstech Systems
Product Quiz And Survey Master
Weakness CWE-862 · Missing authorization
Published February 19, 2026
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.4.

Explanation of Vulnerability in Simple Terms

02Summary

Quiz And Survey Master versions up to 10.3.4 lack proper authorization checks, allowing authenticated users to modify quiz or survey data they should not have access to. An attacker with a low-privilege account can alter quiz settings, questions, or responses without permission. The vulnerability affects the integrity of quiz data but does not expose sensitive information or cause service disruption.

What an attacker can do

03Attacker Capabilities

Modify quiz or survey data belonging to other users or administrators.

Potential impact on your site

04Site Impact

Quiz and survey data integrity is at risk; users may alter quizzes they don't own.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE