🔐 CVE Alert

CVE-2026-9230

MEDIUM 4.3

Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Quiz Modification and Email Reroute via Leaked Nonce from /quiz/structure

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership.

CWE CWE-862
Vendor expresstech
Product quiz and survey master (qsm) – easy quiz and survey maker
Published Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for expresstech quiz and survey master (qsm) – easy quiz and survey maker

Be the first to know when new medium vulnerabilities affecting expresstech quiz and survey master (qsm) – easy quiz and survey maker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

expresstech / Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
0 ≤ 11.1.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/49c66f9e-e58c-435b-9bb0-d6b66261e789?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/rest-api.php#L460 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/rest-api.php#L513 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/blocks/block.php#L424 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/blocks/block.php#L257 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/rest-api.php#L862 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/mlw_quizmaster2.php#L890 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/rest-api.php#L460 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/rest-api.php#L513 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/blocks/block.php#L424 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/blocks/block.php#L257 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/rest-api.php#L862 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/mlw_quizmaster2.php#L890 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3570062%40quiz-master-next&new=3570062%40quiz-master-next&sfp_email=&sfph_mail=

Credits

Kirasec