Security Alert Summary
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress contains an authorization bypass affecting versions up to and including 11.1.4. Authenticated users with contributor-level access or higher can create, modify, and delete quiz output templates stored in the mlw_quiz_output_templates database table, potentially storing unsanitized HTML such as arbitrary script tags.
CVE Details
- CVE ID: CVE-2026-9233
- Affected component: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress
- Affected versions: All versions up to, and including, 11.1.4
- Published date: June 27, 2026 at 8:16:45 AM
- Last modified date: June 27, 2026 at 8:16:45 AM
- CVSS v3.1 base score: 4.3 (MEDIUM)
- Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Authentication / privileges / user interaction: Authentication required; privileges required: LOW (contributor-level or higher); user interaction: NONE
- Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
- Weakness: CWE-862 (Authorization Bypass)
Technical Details
This vulnerability is an authorization bypass caused by the plugin not properly verifying that a user is authorized to perform actions against quiz output templates. Authenticated users with low-level privileges (for example, contributor role) can create, modify, or delete records in the mlw_quiz_output_templates database table. Because the plugin can store unsanitized HTML, an attacker with the required privileges may save arbitrary HTML content, including script tags, into these templates.
The core issue is missing or insufficient authorization checks around template management. The vulnerability does not indicate exploitation of a flaw in sanitization routines at render time; rather, it allows untrusted users to place potentially dangerous content into stored templates by bypassing authorization controls.
Impact is limited to the integrity of quiz output templates and any content derived from them. The ability to store unsanitized HTML increases the risk that malicious content could be served to site users or editors when those templates are rendered.
How This Could Impact Your Website
Imagine a site where the owner manages quizzes, internal staff create and review content, and an external contractor has contributor access to add new quiz items. If a contributor account is compromised or misused, the contributor could save a quiz output template containing malicious HTML or script tags. When other users view affected quiz pages or administrative previews, that malicious content could be rendered in the browser and be used to display fake prompts, capture input, or perform other actions that leverage the rendered page context.
Practical consequences include the risk of crafted quiz pages that attempt social engineering or trick users into revealing credentials or other sensitive information, or display misleading content to site visitors and staff. These scenarios increase the chance of targeted phishing or other social engineering attacks, even though the CVSS data indicates no direct confidentiality loss from this vulnerability itself.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior related to quiz templates and content updates.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/mlw_quizmaster2.php#L931
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/php/admin/functions.php#L1557
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/php/admin/functions.php#L1563
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/php/admin/functions.php#L1638
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/php/admin/options-page-email-tab.php#L52
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/mlw_quizmaster2.php#L931
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/admin/functions.php#L1557
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/admin/functions.php#L1563
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/admin/functions.php#L1638
- https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/admin/options-page-email-tab.php#L52
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3570062%40quiz-master-next&new=3570062%40quiz-master-next&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/38db911b-cad5-4c8c-b0a4-70dc543b4591?source=cve