Vulners
Lucene search
📄 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference
🗓️ 07 Jan 2026 00:00:00Reported by Karuppiah Sabari KumarType 
packetstorm🔗 packetstorm.news👁 184 Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2025-10493 | 18 Sep 202507:27 | – | circl |
 | WordPress plugin Chained Quiz 安全漏洞 | 18 Sep 202500:00 | – | cnnvd |
 | CVE-2025-10493 | 18 Sep 202506:49 | – | cve |
 | CVE-2025-10493 Chained Quiz <= 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie | 18 Sep 202506:49 | – | cvelist |
 | Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie | 25 Dec 202500:00 | – | exploitdb |
 | EUVD-2025-29846 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-10493 | 18 Sep 202507:15 | – | nvd |
 | WordPress Chained Quiz plugin <= 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie vulnerability | 17 Sep 202521:23 | – | patchstack |
 | PT-2025-38302 | 18 Sep 202500:00 | – | ptsecurity |
 | CVE-2025-10493 | 20 Sep 202507:31 | – | redhatcve |
10
# Exploit Title: Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
# Date: 19-12-2025
# Exploit Author: Karuppiah Sabari Kumar(0xsabre)
# Vendor Homepage: https://wordpress.org/plugins/chained-quiz/
# Software Link: https://downloads.wordpress.org/plugin/chained-quiz.1.3.3.zip
# Version: <= 1.3.3
# Tested on: WordPress / Linux
# CVE: CVE-2025-10493
------------------------------------------------------------
## Vulnerability Type
Insecure Direct Object Reference (IDOR) / Improper Authorization
------------------------------------------------------------
## Description
The Chained Quiz plugin stores each quiz attempt using a predictable,
auto-incrementing database ID (completion_id) and exposes this value
directly in a client-side cookie named:
chained_completion_id<quiz_id>
When submitting or re-submitting quiz answers via admin-ajax.php, the
server updates the quiz attempt record based solely on this cookie value,
without verifying that the attempt belongs to the currently authenticated
user.
No authentication is required to exploit this vulnerability when the
plugin is used with default settings.
The server retrieves the quiz attempt directly using the completion_id
from the cookie and performs an UPDATE query without verifying ownership.
As a result, an attacker can hijack or tamper with other users’ quiz
attempts by guessing or enumerating valid completion_id values and
replaying answer submissions.
------------------------------------------------------------
## Affected Component
Quiz submission and results handling functionality via admin-ajax.php
------------------------------------------------------------
## Proof of Concept (PoC)
### Step 1: Victim user submission
A user completes a quiz. The submission is stored using a completion ID
and associated with the user’s session via a cookie, for example:
chained_completion_id1=2
------------------------------------------------------------
### Step 2: Attacker interception
The attacker completes the same quiz and intercepts their own submission
request using a proxy or browser developer tools.
Example request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Cookie: chained_completion_id1=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
answer=0&question_id=1&quiz_id=1&post_id=117&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1
------------------------------------------------------------
### Step 3: Tampering
The attacker modifies the cookie value to match another user’s quiz
attempt, for example:
chained_completion_id1=2
The attacker may also modify parameters such as "answer" or "points" to
manipulate quiz responses or scores.
The modified request is then sent to the server.
------------------------------------------------------------
### Step 4: Result
The server overwrites the victim user’s quiz submission, including answers
and points, without validating ownership of the completion ID.
------------------------------------------------------------
## Impact
An attacker can arbitrarily modify quiz answers, scores, or results
belonging to other users. This results in an integrity violation of quiz
data and allows unauthorized manipulation of finalized quiz attempts.
In environments where quiz results are used for assessments, leaderboards,
or certificates, this can undermine trust in the platform and affect any
downstream integrations that rely on quiz completion data.
------------------------------------------------------------
## CWE
- CWE-639: Authorization Bypass Through User-Controlled Key
- CWE-285: Improper Authorization
------------------------------------------------------------Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jan 2026 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.15.3
EPSS0.00855
SSVC