🔐 CVE Alert

CVE-2025-9637

MEDIUM 6.5

Quiz and Survey Master (QSM) <= 10.3.1 - Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload.

CWE CWE-862
Vendor expresstech
Product quiz and survey master (qsm) – easy quiz and survey maker
Published Jan 6, 2026
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for expresstech quiz and survey master (qsm) – easy quiz and survey maker

Be the first to know when new medium vulnerabilities affecting expresstech quiz and survey master (qsm) – easy quiz and survey maker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

expresstech / Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
0 ≤ 10.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/88a9abf4-62a9-4695-87e7-18ff0b0075e9?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L281 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L1987 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php

Credits

Rahul Sreenivasan