Plugin WordPress Quiz Maker <= 6.7.1.2 - Vulnérabilité Cross Site Request Forgery (CSRF)

A successful CSRF attack could allow an attacker to modify quiz settings, delete quizzes, or even gain access to user accounts associated with the plugin. The attacker would need to craft a malicious request and entice the victim to click a link or visit a webpage containing the crafted request. The impact is amplified if the plugin is used in environments with sensitive quiz data or if user accounts have elevated privileges. While not directly leading to system compromise, CSRF can be a stepping stone for further attacks if combined with other vulnerabilities.

Websites utilizing the Quiz Maker plugin, particularly those with user-generated quiz content or sensitive data, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't applied the patch.

• wordpress / composer / npm:

grep -r 'ays_pro_quiz_maker' /var/www/html/wp-content/plugins/
wp plugin list | grep 'Quiz Maker'

• generic web:

curl -I https://your-wordpress-site.com/ays-pro-quiz-maker/ | grep 'Server'

1. 2026-03-13Disclosure

   disclosure

Installations actives

20KPopulaire

Note du plugin

4.9

Nécessite WordPress

4.0+

Compatible jusqu'à

7.0

Nécessite PHP

7.0+

1. Réservé2026-03-12
2. Publiée2026-03-13
3. Modifiée2026-04-29
4. EPSS mis à jour2026-03-23

The primary mitigation for CVE-2026-32342 is to immediately upgrade the Quiz Maker plugin to version 6.7.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user input is properly validated and sanitized to prevent malicious data from being processed. Implement strict content security policies (CSP) to restrict the sources from which scripts can be executed.