プラットフォーム
wordpress
コンポーネント
quiz-maker
修正版
6.7.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Ays Pro Quiz Maker WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of quiz data. The vulnerability impacts versions from 0.0.0 through 6.7.0.82, and a patch is available in version 6.7.0.83.
The CSRF vulnerability in Quiz Maker allows an attacker to leverage a user's authenticated session to execute malicious actions. For example, an attacker could craft a malicious link or embed a hidden form on a website that, when visited by a logged-in user of the Quiz Maker plugin, could modify quiz settings, delete quizzes, or even create new quizzes without the user's knowledge. The blast radius is limited to the scope of actions a user can perform within the Quiz Maker plugin, but the potential for unauthorized data manipulation is significant. This vulnerability is similar in nature to other CSRF flaws, where user trust is exploited to execute unintended actions.
This vulnerability was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk. It is not listed on the CISA KEV catalog at the time of writing.
WordPress websites utilizing the Ays Pro Quiz Maker plugin, particularly those running older versions (0.0.0–6.7.0.82), are at risk. Shared hosting environments where plugin updates are not consistently managed are also particularly vulnerable, as are websites with a large user base and frequent quiz creation/modification activity.
• wordpress / composer / npm:
grep -r 'ays_pro_quiz_maker_save_quiz' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=ays_pro_quiz_maker_save_quiz | grep -i 'csrf'disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-67595 is to upgrade the Ays Pro Quiz Maker plugin to version 6.7.0.83 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, implement strict input validation and output encoding within the plugin's code to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured with CSRF protection rules can also provide a layer of defense, though this is not a substitute for patching the plugin. After upgrading, confirm the fix by attempting to trigger a quiz modification action from a different browser session without being logged in.
バージョン 6.7.0.83、またはそれ以降の修正バージョンにアップデートする
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-67595 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Ays Pro Quiz Maker WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Ays Pro Quiz Maker versions 0.0.0 through 6.7.0.82. Upgrade to 6.7.0.83 or later to mitigate the risk.
Upgrade the Ays Pro Quiz Maker plugin to version 6.7.0.83 or later. Consider implementing CSP and WAF rules as additional security measures.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Ays Pro Quiz Maker website or WordPress plugin repository for the official advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。