CVE-2025-9637 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker WordPress plugin, versions up to and including 10.3.1. The root cause is the absence of proper capability and status checks on multiple functions within the plugin, which fails to enforce authorization controls on sensitive operations. This flaw enables unauthenticated attackers to bypass access restrictions and view details of quizzes that are unpublished, private, or password-protected. Additionally, attackers can submit file responses to quiz questions, effectively allowing file uploads without authentication. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality and integrity but not availability. The lack of proper authorization checks means that any remote attacker can exploit this vulnerability without needing to log in or trick users, increasing the risk of data leakage and potential malicious file uploads. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The plugin is widely used in WordPress environments for creating quizzes and surveys, making this vulnerability relevant to many websites globally.

The primary impact of CVE-2025-9637 is unauthorized disclosure of sensitive quiz data, including unpublished, private, or password-protected content, which can lead to information leakage and compromise of confidentiality. The ability to submit file responses without authentication introduces a risk of malicious file uploads, which could be leveraged for further attacks such as web shell deployment, malware distribution, or pivoting within the affected environment, thereby impacting integrity. Although availability is not directly affected, the potential for secondary attacks could disrupt services. Organizations relying on QSM for sensitive data collection or internal assessments may face reputational damage, data privacy violations, and compliance issues if exploited. The ease of exploitation (no authentication or user interaction required) and the broad scope of affected versions increase the threat surface. Given the plugin's popularity, a large number of WordPress sites globally are at risk, particularly those that do not regularly update or monitor plugin security. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate CVE-2025-9637, organizations should first verify if they are using the Quiz and Survey Master (QSM) plugin and identify the version in use. Immediate steps include: 1) Updating the plugin to a patched version once available from the vendor or developer, as no official patch links are currently provided; 2) If a patch is not yet available, restrict access to the WordPress admin and plugin directories via web server configuration to limit exposure; 3) Implement Web Application Firewall (WAF) rules to detect and block unauthorized access attempts to QSM endpoints, especially those related to quiz data retrieval and file uploads; 4) Disable or restrict file upload functionality within quizzes if not essential; 5) Monitor web server and application logs for unusual access patterns or file upload attempts targeting the plugin; 6) Employ principle of least privilege on WordPress user roles to minimize potential damage; 7) Regularly audit installed plugins and remove unused or outdated ones; 8) Consider isolating WordPress instances or using containerization to limit lateral movement if exploitation occurs. These targeted actions go beyond generic advice by focusing on access control, monitoring, and containment specific to this vulnerability's characteristics.