The ays-pro Quiz Maker plugin for WordPress suffers from a sensitive information exposure vulnerability identified as CVE-2025-12426. The root cause is the insecure implementation of the AJAX endpoint ays_quiz_check_answer, which returns quiz answers without enforcing proper authorization checks. Instead, it relies solely on a nonce token for validation. However, this nonce is publicly exposed to all visitors via the quiz_maker_ajax_public localized script data, making it trivial for unauthenticated attackers to obtain it. Consequently, attackers can invoke the AJAX action to retrieve correct answers for any quiz question hosted on the vulnerable WordPress site. This vulnerability affects all versions up to and including 6.7.0.80 of the plugin. The CVSS 3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality only, without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

This vulnerability can lead to unauthorized disclosure of quiz answers, undermining the integrity of quizzes and assessments conducted via the affected WordPress plugin. Organizations relying on the Quiz Maker plugin for training, certification, or educational purposes may face reputational damage, loss of trust, and reduced effectiveness of their quizzes. While it does not directly impact system integrity or availability, the exposure of sensitive quiz data could facilitate cheating or unauthorized knowledge acquisition. This may be particularly impactful for educational institutions, certification bodies, and corporate training environments. Additionally, attackers could leverage the exposed information for social engineering or to gain insights into organizational processes if quizzes contain sensitive or proprietary content.

To mitigate this vulnerability, organizations should immediately upgrade the ays-pro Quiz Maker plugin to a version where the issue is fixed once available. Until a patch is released, administrators should consider disabling the vulnerable AJAX endpoint or restricting access to it via web application firewall (WAF) rules or server-level access controls to authenticated users only. Reviewing and limiting the exposure of nonce tokens in publicly accessible scripts can reduce risk. Additionally, monitoring web server logs for suspicious AJAX requests targeting ays_quiz_check_answer can help detect exploitation attempts. Implementing strict role-based access control and minimizing plugin usage to trusted users can further reduce attack surface. Finally, organizations should conduct security audits of other plugins to ensure similar authorization weaknesses are not present.