CVE-2025-6790

The Quiz and Survey Master (QSM) WordPress plugin, versions before 10.2.3, does not include a Cross-Site Request Forgery (CSRF) check when updating its settings. This means that the plugin fails to verify that a request to modify settings originates from the intended administrator, leaving the settings endpoint vulnerable to CSRF attacks [1].

An attacker can exploit this by crafting a malicious link or page that, when visited by a logged-in administrator, triggers a request to change to the plugin's settings without the admin's knowledge. The attack requires the admin to be authenticated and to interact with the attacker's crafted request, but no additional authentication is needed beyond the admin's existing session [1].

Successful exploitation allows the attacker to modify the plugin's settings arbitrarily. This could lead to unauthorized changes in quiz or survey configurations, potentially affecting data collection or site behavior. The impact is limited to settings changes, but could be used to further compromise the site's functionality [1].

The vulnerability is fixed in version 10.2.3 of the plugin. Users are advised to update to this version or later to mitigate the risk. No workarounds are mentioned in the advisory [1].