CVE-2025-9294 identifies an improper authorization vulnerability (CWE-285) in the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker WordPress plugin developed by expresstech. The vulnerability exists in the qsm_dashboard_delete_result function, which lacks a proper capability check to verify if the authenticated user has sufficient privileges to delete quiz results. This flaw affects all plugin versions up to and including 10.3.1. As a result, any authenticated user with Subscriber-level access or higher can exploit this vulnerability to delete quiz results, bypassing intended access controls. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3 (medium), reflecting low complexity of attack (AC:L), network attack vector (AV:N), and limited impact on integrity only (I:L) without affecting confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability primarily threatens data integrity by enabling unauthorized deletion of quiz results, which could disrupt data reliability and reporting for organizations relying on QSM for assessments or surveys.

The primary impact of CVE-2025-9294 is unauthorized modification of data integrity through deletion of quiz results. Organizations using the QSM plugin for assessments, surveys, or data collection may experience loss of critical data, leading to inaccurate reporting, compromised decision-making, and potential disruption of business processes relying on quiz outcomes. While confidentiality and availability are not directly affected, the integrity loss can undermine trust in the system and cause operational inefficiencies. Attackers with low-level authenticated access (Subscriber or higher) can exploit this vulnerability without elevated privileges, increasing the risk from insider threats or compromised low-privilege accounts. Although no known exploits are currently reported, the ease of exploitation and widespread use of WordPress and QSM plugin globally could lead to future attacks targeting educational institutions, businesses, and organizations that rely on quiz data for analytics or compliance.

To mitigate CVE-2025-9294, organizations should immediately restrict user roles and permissions to minimize the number of users with Subscriber-level or higher access unless necessary. Implement strict access control policies and regularly audit user privileges to detect and remove unnecessary accounts. Monitor logs for unusual deletion activities related to quiz results. Since no official patch is currently available, consider temporarily disabling the QSM plugin or restricting access to the quiz results management interface to trusted administrators only. For developers or site administrators with technical capability, apply custom code to enforce capability checks on the qsm_dashboard_delete_result function as a temporary workaround. Stay alert for official patches or updates from expresstech and apply them promptly once released. Additionally, maintain regular backups of quiz data to enable recovery in case of unauthorized deletions.