CVE-2025-12426 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the ays-pro Quiz Maker plugin for WordPress, specifically all versions up to and including 6.7.0.80. The root cause is the plugin's ays_quiz_check_answer AJAX action, which returns quiz answers without enforcing proper authorization controls. Instead of verifying user permissions, the endpoint only validates a nonce token. However, this nonce is publicly exposed through the quiz_maker_ajax_public localized script data, making it accessible to any visitor of the WordPress site. Consequently, an unauthenticated attacker can invoke the AJAX endpoint with the public nonce to retrieve correct answers to quiz questions, compromising the confidentiality of quiz content. The vulnerability does not impact integrity or availability, and no authentication or user interaction is required to exploit it. The CVSS v3.1 base score is 5.3, indicating a medium severity level due to the network attack vector, low attack complexity, and no privileges or user interaction needed. No patches or fixes are currently linked, and no known exploits have been observed in the wild. This vulnerability primarily threatens the confidentiality of quiz data, which could be sensitive in educational or assessment contexts.

For European organizations, the exposure of quiz answers can undermine the integrity of educational assessments, certification processes, or training programs conducted via WordPress sites using the vulnerable Quiz Maker plugin. Confidential information leakage could lead to unfair advantages, reputational damage, and loss of trust among users or clients. Organizations relying on quizzes for compliance training, employee evaluations, or customer engagement may face operational risks if quiz content is compromised. Although the vulnerability does not enable system takeover or data destruction, the confidentiality breach could have legal and regulatory implications, especially under GDPR if personal data or assessment results are indirectly exposed. The risk is higher for educational institutions, e-learning platforms, and corporate training providers in Europe that utilize this plugin. Attackers could also leverage the exposed answers to facilitate social engineering or phishing attacks targeting organizations’ employees or users.

European organizations should immediately audit their WordPress installations to identify the presence of the ays-pro Quiz Maker plugin and verify its version. Until an official patch is released, administrators should consider disabling the plugin or restricting access to quiz-related AJAX endpoints via web application firewalls or server-level access controls to prevent unauthenticated requests. Implementing IP whitelisting or requiring user authentication for AJAX actions can mitigate unauthorized data exposure. Monitoring web server logs for suspicious AJAX requests to ays_quiz_check_answer can help detect exploitation attempts. Organizations should also follow vendor communications closely for security updates or patches and apply them promptly once available. Additionally, reviewing quiz content to avoid including highly sensitive information and educating users about the risk can reduce potential impact. Employing security plugins that enhance WordPress authorization checks and nonce handling may provide interim protection.