Plataforma
wordpress
Componente
quiz-maker
Corrigido em
6.7.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Ays Pro Quiz Maker WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of quiz data. The vulnerability impacts versions from 0.0.0 through 6.7.0.82, and a patch is available in version 6.7.0.83.
The CSRF vulnerability in Quiz Maker allows an attacker to leverage a user's authenticated session to execute malicious actions. For example, an attacker could craft a malicious link or embed a hidden form on a website that, when visited by a logged-in user of the Quiz Maker plugin, could modify quiz settings, delete quizzes, or even create new quizzes without the user's knowledge. The blast radius is limited to the scope of actions a user can perform within the Quiz Maker plugin, but the potential for unauthorized data manipulation is significant. This vulnerability is similar in nature to other CSRF flaws, where user trust is exploited to execute unintended actions.
This vulnerability was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk. It is not listed on the CISA KEV catalog at the time of writing.
WordPress websites utilizing the Ays Pro Quiz Maker plugin, particularly those running older versions (0.0.0–6.7.0.82), are at risk. Shared hosting environments where plugin updates are not consistently managed are also particularly vulnerable, as are websites with a large user base and frequent quiz creation/modification activity.
• wordpress / composer / npm:
grep -r 'ays_pro_quiz_maker_save_quiz' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=ays_pro_quiz_maker_save_quiz | grep -i 'csrf'disclosure
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-67595 is to upgrade the Ays Pro Quiz Maker plugin to version 6.7.0.83 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, implement strict input validation and output encoding within the plugin's code to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured with CSRF protection rules can also provide a layer of defense, though this is not a substitute for patching the plugin. After upgrading, confirm the fix by attempting to trigger a quiz modification action from a different browser session without being logged in.
Atualize para a versão 6.7.0.83, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-67595 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Ays Pro Quiz Maker WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Ays Pro Quiz Maker versions 0.0.0 through 6.7.0.82. Upgrade to 6.7.0.83 or later to mitigate the risk.
Upgrade the Ays Pro Quiz Maker plugin to version 6.7.0.83 or later. Consider implementing CSP and WAF rules as additional security measures.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Ays Pro Quiz Maker website or WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.