Overview
CVE-2025-12426 is a medium severity vulnerability affecting the Quiz Maker plugin for WordPress, versions up to and including 6.7.0.80. This vulnerability allows unauthenticated attackers to retrieve sensitive information, specifically quiz answers, without proper authorization. The flaw stems from the exposure of quiz answers through the `ays_quiz_check_answer` AJAX action without adequate security checks.
Technical Details
The vulnerability resides in the plugin’s handling of AJAX requests for checking quiz answers. The `ays_quiz_check_answer` AJAX action is protected by a nonce, which is intended to prevent Cross-Site Request Forgery (CSRF) attacks. However, this nonce is publicly available to all website visitors through the `quiz_maker_ajax_public` localized script data. This means any unauthenticated user can obtain the nonce and use it to send requests to the AJAX endpoint, effectively bypassing the intended security mechanism and retrieving the correct answers to quiz questions.
The vulnerable code sections are:
- `includes/class-quiz-maker.php#L393` – (Likely where AJAX action is registered)
- `public/class-quiz-maker-public.php#L179` – (Likely where the public nonce is localized)
- `public/class-quiz-maker-public.php#L8490` – (Likely where the AJAX action handler resides)
CVSS Analysis
The CVSS score for CVE-2025-12426 is 5.3 (MEDIUM). This score reflects the following characteristics:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): Low (L)
- Integrity Impact (I): None (N)
- Availability Impact (A): None (N)
The low confidentiality impact signifies that while sensitive information (quiz answers) is exposed, it doesn’t necessarily lead to complete data compromise or system takeover. The fact that no privileges or user interaction are required makes this vulnerability easily exploitable.
Possible Impact
Successful exploitation of this vulnerability can lead to the following consequences:
- Quiz Cheating: Students or individuals taking quizzes can easily obtain the correct answers, undermining the integrity of the assessment.
- Data Leakage: Exposed quiz answers may contain sensitive information, depending on the nature of the quiz questions (e.g., personal details, confidential business information).
- Reputational Damage: Organizations using the plugin for serious assessments may suffer reputational damage if the vulnerability is widely exploited.
Mitigation or Patch Steps
The recommended mitigation step is to update the Quiz Maker plugin to the latest available version, which includes a fix for this vulnerability. If an update is not yet available, consider temporarily disabling the plugin or implementing a custom security measure to protect the `ays_quiz_check_answer` AJAX action. The fix should include proper authorization checks to ensure only authorized users can access the quiz answers. Specifically, the plugin needs to avoid using a publicly available nonce for authenticating the AJAX request.
