Medium severity5.3NVD Advisory· Published Sep 18, 2025· Updated Apr 15, 2026

CVE-2025-10493

Description

The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5.

Affected products

WordPress/Chained Quizinferred
Range: <=1.3.4
Package: https://wordpress.org/plugins/chained-quiz

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/chained-quiz/tags/1.3.3/controllers/quizzes.phpnvd
plugins.trac.wordpress.org/browser/chained-quiz/tags/1.3.3/models/quiz.phpnvd
plugins.trac.wordpress.org/changeset/3362561/nvd
plugins.trac.wordpress.org/changeset/3362701/nvd
plugins.trac.wordpress.org/changeset/3362966/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/1d8f6965-1fe3-4f24-bd6b-9026e91bc5dbnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.002
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000