Medium severity5.3NVD Advisory· Published Sep 18, 2025· Updated Apr 15, 2026
CVE-2025-10493
CVE-2025-10493
Description
The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.3.4+ 1 more
- (no CPE)range: <=1.3.4
- (no CPE)range: <=1.3.4
Patches
Vulnerability mechanics
References
6- plugins.trac.wordpress.org/browser/chained-quiz/tags/1.3.3/controllers/quizzes.phpnvd
- plugins.trac.wordpress.org/browser/chained-quiz/tags/1.3.3/models/quiz.phpnvd
- plugins.trac.wordpress.org/changeset/3362561/nvd
- plugins.trac.wordpress.org/changeset/3362701/nvd
- plugins.trac.wordpress.org/changeset/3362966/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/1d8f6965-1fe3-4f24-bd6b-9026e91bc5dbnvd
News mentions
0No linked articles in our index yet.