CVE-2025-9294 identifies an improper authorization vulnerability (CWE-285) in the WordPress plugin Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker, versions up to and including 10.3.1. The vulnerability stems from the absence of a capability check in the function qsm_dashboard_delete_result, which is responsible for deleting quiz results. This security oversight allows any authenticated user with at least Subscriber-level privileges to delete quiz results, a function that should be restricted to higher privilege roles such as administrators or editors. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 4.3 (medium), reflecting low impact on confidentiality and availability but a partial impact on integrity due to unauthorized data deletion. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability affects all plugin versions up to 10.3.1, indicating a broad scope of affected installations. The lack of proper authorization checks in a widely used WordPress plugin poses a risk to the integrity of quiz and survey data, potentially undermining trust in data accuracy and audit trails.

For European organizations, the primary impact is on data integrity, as unauthorized deletion of quiz results can lead to loss of critical data used for assessments, feedback, or research. This can disrupt educational institutions, market research firms, and any business relying on survey data for decision-making. Although confidentiality and availability remain unaffected, the integrity compromise can cause operational disruptions and reputational damage, especially if data deletion is unnoticed or misattributed. Organizations with multiple users having Subscriber-level access or higher are at greater risk. The absence of known exploits reduces immediate threat but does not eliminate risk, especially if attackers gain authenticated access through credential compromise or insider threats. The vulnerability may also affect compliance with data governance policies requiring data integrity and auditability.

European organizations should immediately audit user roles and permissions within WordPress installations running the QSM plugin, ensuring that Subscriber-level users have minimal privileges and that only trusted users have access to quiz management functions. Implement strict access controls and consider temporarily disabling the plugin if quiz result integrity is critical and no patch is available. Monitor WordPress logs for unusual deletion activities and set up alerts for unauthorized changes to quiz data. Employ multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly back up quiz and survey data to enable recovery in case of unauthorized deletions. Stay informed about vendor updates and apply patches promptly once released. Additionally, consider isolating WordPress instances or using web application firewalls (WAFs) to detect and block suspicious requests targeting the vulnerable function.