The Chained Quiz plugin for WordPress, widely used for creating interactive quizzes, suffers from an authorization bypass vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key). In versions 1.3.4 and earlier, the plugin fails to properly validate the chained_completion_id cookie, which is user-controlled. This cookie identifies quiz attempts, and by manipulating its value, an unauthenticated attacker can hijack and modify other users' quiz submissions. This includes altering answers, scores, and final results, effectively compromising the integrity of quiz data. The vulnerability is an insecure direct object reference (IDOR) because the plugin trusts the user-supplied key without verifying ownership or authorization. The flaw does not impact confidentiality directly, as it does not expose sensitive data, nor does it affect availability. Partial patches in versions 1.3.4 and 1.3.5 address some aspects of the issue, but full remediation requires thorough validation of user keys and session ownership. Exploitation requires no privileges or user interaction and can be performed remotely over the network, increasing risk. No active exploitation has been reported, but the vulnerability's nature makes it a candidate for misuse in academic or training environments relying on this plugin.

This vulnerability primarily impacts the integrity of quiz data within affected WordPress sites. Attackers can alter quiz answers and scores of any user, undermining trust in quiz results and potentially affecting grading, certification, or user reputation systems that depend on accurate quiz outcomes. Organizations relying on the Chained Quiz plugin for educational, training, or certification purposes risk data manipulation that could invalidate assessments or lead to unfair advantages. While confidentiality and availability are not directly affected, the loss of data integrity can have reputational and operational consequences, especially in academic institutions, e-learning platforms, and corporate training environments. The ease of exploitation without authentication increases the threat landscape, allowing external attackers to target vulnerable sites at scale. Although no known exploits exist in the wild, the vulnerability's public disclosure may prompt attackers to develop exploits, increasing urgency for mitigation.

Organizations should immediately update the Chained Quiz plugin to the latest patched version beyond 1.3.5 once available, as partial patches exist but may not fully resolve the issue. Until a complete fix is confirmed, administrators should implement additional access controls such as restricting quiz submission endpoints via web application firewalls (WAFs) to trusted IP ranges or requiring user authentication for quiz submissions. Monitoring and logging of chained_completion_id cookie values and quiz submission activities can help detect anomalous behavior indicative of exploitation attempts. Site owners should audit user permissions and consider disabling the plugin if quizzes are not critical or if alternative secure quiz plugins are available. Developers maintaining the plugin should enforce strict validation of user-controlled keys against authenticated session data to prevent unauthorized access. Regular vulnerability scanning and penetration testing focused on IDOR vulnerabilities in WordPress plugins are recommended to identify similar issues proactively.