CVE-2026-24544

Vulnerability

Overview

The HD Quiz plugin for WordPress, versions 2.0.9 and earlier, contains a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly verify user permissions before allowing certain actions. The flaw stems from missing authorization checks, nonce token validation, or authentication requirements in one or more functions, enabling unprivileged users to execute actions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability without needing any special privileges or authentication. The attack vector is network-based, with low attack complexity. No user interaction is required, and the vulnerability can be triggered remotely. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site traffic or popularity [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity. The impact is limited to low-level access control bypass, but when combined with other vulnerabilities or in automated attacks, it can lead to broader compromise [1].

Mitigation

The vulnerability has been addressed in version 2.0.10 of the HD Quiz plugin. Users are strongly advised to update immediately. For Patchstack users, auto-updates for vulnerable plugins can be enabled. If updating is not possible, contacting the hosting provider or web developer for assistance is recommended [1].