The vulnerability identified as CVE-2025-12426 affects the ays-pro Quiz Maker plugin for WordPress, specifically all versions up to and including 6.7.0.80. The core issue is an exposure of sensitive information (CWE-200) through the plugin's AJAX action named ays_quiz_check_answer. This endpoint is designed to verify quiz answers but lacks proper authorization controls. Instead, it relies solely on a nonce value for security. However, this nonce is publicly accessible to any site visitor because it is embedded in the quiz_maker_ajax_public localized script data, which is exposed on the client side. As a result, an unauthenticated attacker can invoke the AJAX action with the valid nonce and retrieve correct answers to any quiz question. This flaw does not require any user authentication or interaction, making it trivially exploitable by remote attackers. The vulnerability impacts confidentiality by leaking quiz answers, which could compromise the integrity of assessments, training programs, or any use case relying on quiz secrecy. The CVSS v3.1 score of 5.3 reflects a medium severity, considering the ease of exploitation (network vector, no privileges, no user interaction) but limited impact to confidentiality only, with no integrity or availability effects. No patches or fixes are currently linked, and no active exploitation has been reported. The vulnerability is particularly relevant for organizations using the Quiz Maker plugin in environments where quiz content confidentiality is critical, such as corporate training, educational institutions, or customer engagement platforms.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of quiz content. Exposure of quiz answers can undermine the credibility and effectiveness of training programs, certification exams, or customer engagement initiatives that rely on quizzes. In regulated sectors such as education, finance, or healthcare, leaking assessment answers could violate compliance requirements or data protection standards. Additionally, organizations using quizzes for internal knowledge assessments or employee training may face operational risks if training integrity is compromised. Since the vulnerability allows unauthenticated remote access, attackers could automate extraction of quiz answers at scale, potentially leading to widespread data leakage. Although the vulnerability does not affect system availability or integrity, the loss of confidentiality can have reputational and operational consequences. European organizations with public-facing WordPress sites using the affected plugin are particularly vulnerable. The impact is heightened in sectors with high reliance on digital learning and assessment tools, including universities, e-learning providers, and enterprises with extensive training programs.

Immediate mitigation steps include monitoring for plugin updates from the vendor and applying patches as soon as they become available. Until a patch is released, organizations should consider disabling the Quiz Maker plugin or restricting access to quiz pages via web application firewalls (WAF) or IP whitelisting to limit exposure. Implementing custom authorization checks on the ays_quiz_check_answer AJAX endpoint can prevent unauthorized access; for example, verifying user roles or session authentication before returning quiz answers. Reviewing and minimizing the exposure of nonce values in client-side scripts can reduce the risk of exploitation. Additionally, organizations should audit their WordPress installations for the presence of this plugin and assess the sensitivity of quiz content. Employing security plugins that monitor and block suspicious AJAX requests can provide temporary protection. Finally, educating site administrators about the risks of exposing sensitive data through AJAX endpoints and encouraging secure coding practices will help prevent similar vulnerabilities.