CVE-2025-9637 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker WordPress plugin developed by expresstech. The vulnerability exists in all versions up to and including 10.3.1 due to missing capability and status checks on multiple functions. This flaw allows unauthenticated attackers to bypass authorization controls and access sensitive quiz data that should be restricted, including unpublished, private, or password-protected quizzes. Furthermore, attackers can submit file responses to quiz questions, effectively enabling unauthorized file uploads. The lack of proper authorization checks means that no authentication or user interaction is required, and the attack can be executed remotely over the network. The CVSS v3.1 base score is 6.5 (medium severity), reflecting low complexity and no required privileges but limited impact on availability. The vulnerability compromises confidentiality by exposing sensitive quiz content and integrity by allowing unauthorized data modification through file uploads. Although no public exploits are known at this time, the potential for abuse exists, especially on websites relying on QSM for sensitive data collection or internal surveys. The absence of patch links suggests that fixes may not yet be publicly available, underscoring the need for interim mitigations.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive or confidential survey and quiz data, potentially exposing internal assessments, employee feedback, or customer information. The ability to upload files without authorization raises the risk of malicious payload delivery, including web shells or malware, which could lead to further compromise of the hosting environment. Organizations using QSM for internal or customer-facing applications may face reputational damage, regulatory compliance issues (e.g., GDPR violations due to data exposure), and operational disruptions if attackers leverage uploaded files for lateral movement or persistence. The medium severity rating reflects that while availability is not directly impacted, the confidentiality and integrity breaches can have significant consequences, especially in sectors handling sensitive data such as finance, healthcare, and government. The vulnerability’s ease of exploitation and lack of authentication requirements increase the risk of automated scanning and exploitation attempts, making timely mitigation critical.

1. Monitor for official patches or updates from expresstech and apply them immediately once released. 2. Until patches are available, restrict access to the QSM plugin’s quiz management interfaces using web server access controls or IP whitelisting. 3. Implement strict file upload restrictions by configuring allowed file types and size limits within the plugin settings or via additional security plugins. 4. Deploy a Web Application Firewall (WAF) with custom rules to detect and block unauthorized access attempts and suspicious file upload patterns targeting QSM endpoints. 5. Conduct regular security audits and scanning of WordPress installations to detect unauthorized files or modifications. 6. Educate site administrators on the risks of using outdated plugins and encourage timely updates. 7. Consider temporarily disabling the QSM plugin if it is not critical to operations until a secure version is available. 8. Review and harden WordPress user roles and permissions to minimize exposure from other potential vulnerabilities.