Description

The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization checks. The endpoint only validates a nonce, but that same nonce is publicly available to all site visitors via the quiz_maker_ajax_public localized script data. This makes it possible for unauthenticated attackers to extract sensitive data including quiz answers for any quiz question.

INFO

Published Date :

2025-11-19T04:28:19.408Z

Last Modified :

2025-11-19T20:11:52.850Z

Source :

Wordfence
AFFECTED PRODUCTS

The following products are affected by CVE-2025-12426 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-12426.

URL Resource
https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/includes/class-quiz-maker.php#L393 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/public/class-quiz-maker-public.php#L179 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/public/class-quiz-maker-public.php#L8490 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/bc524e3e-9b7c-47ae-ab44-c327b287b81a?source=cve cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact