CVE-2025-6790 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Quiz and Survey Master (QSM) WordPress plugin versions prior to 10.2.3. The vulnerability arises because the plugin lacks proper CSRF protections when updating its settings. Specifically, no CSRF token or equivalent verification mechanism is implemented to ensure that requests to change plugin settings originate from legitimate, authenticated users. This security gap allows an attacker to craft malicious web requests that, when executed by an authenticated WordPress administrator, can alter the plugin's configuration without their consent or knowledge. Since the QSM plugin is used to create quizzes and surveys within WordPress sites, unauthorized changes to its settings could lead to a range of malicious outcomes, including the injection of malicious content, disruption of survey functionality, or manipulation of data collected through the plugin. The vulnerability requires the attacker to trick an authenticated admin into visiting a malicious webpage or clicking a crafted link, leveraging the admin's active session to perform unauthorized actions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability was reserved in June 2025 and published in August 2025, indicating recent discovery and disclosure. The absence of a patch link suggests that a fixed version (10.2.3 or later) is either newly released or forthcoming. This vulnerability is classified under CWE-352, which corresponds to CSRF issues that allow unauthorized commands to be transmitted from a user that the web application trusts.

For European organizations using WordPress sites with the QSM plugin, this vulnerability poses a significant risk to the integrity and availability of their web-based quiz and survey functionalities. An attacker exploiting this flaw could alter plugin settings to disrupt normal operations, potentially leading to data loss or corruption of survey results, which may affect decision-making processes reliant on this data. Additionally, unauthorized configuration changes could be leveraged to inject malicious scripts or redirect users, thereby compromising confidentiality and potentially facilitating further attacks such as phishing or malware distribution. Since the attack requires an authenticated admin session, the impact is limited to organizations where administrators may be tricked into visiting malicious sites, highlighting the importance of user awareness. However, the ease of exploitation through social engineering and the high privileges of admin accounts amplify the threat. For organizations in sectors like education, market research, or any domain relying on survey data integrity, this vulnerability could undermine trust and operational continuity. Moreover, if exploited at scale, it could lead to reputational damage and regulatory scrutiny under European data protection laws such as GDPR, especially if personal data collected via surveys is compromised or manipulated.

European organizations should immediately verify the version of the QSM plugin installed on their WordPress sites and upgrade to version 10.2.3 or later where the CSRF protection is implemented. Until the patch is applied, administrators should be advised to avoid clicking on suspicious links or visiting untrusted websites while logged into WordPress admin accounts to reduce the risk of CSRF exploitation. Implementing additional security controls such as Web Application Firewalls (WAFs) with rules to detect and block CSRF attack patterns can provide a temporary safeguard. Organizations should also enforce strict session management policies, including short session timeouts and multi-factor authentication (MFA) for admin accounts, to limit the window of opportunity for attackers. Regular security awareness training focused on phishing and social engineering can help reduce the likelihood of an admin falling victim to CSRF attack vectors. Finally, monitoring and logging changes to plugin settings can help detect unauthorized modifications early, enabling rapid incident response.