{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24358", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.566Z", "datePublished": "2026-01-22T16:52:44.066Z", "dateUpdated": "2026-04-28T16:14:47.844Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "quiz-master-next", "product": "Quiz And Survey Master", "vendor": "ExpressTech Systems", "versions": [{"changes": [{"at": "10.3.4", "status": "unaffected"}], "lessThanOrEqual": "10.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:03.770Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Quiz And Survey Master: from n/a through <= 10.3.3.</p>"}], "value": "Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.844Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Quiz And Survey Master plugin <= 10.3.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T01:48:36.529908Z", "id": "CVE-2026-24358", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:48:39.273Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T01:48:36.529908Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:48:21.517Z"}}], "cna": {"title": "WordPress Quiz And Survey Master plugin <= 10.3.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ExpressTech Systems", "product": "Quiz And Survey Master", "versions": [{"status": "affected", "changes": [{"at": "10.3.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "10.3.3"}], "packageName": "quiz-master-next", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:03.770Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Quiz And Survey Master: from n/a through <= 10.3.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.131Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24358", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:48:39.273Z", "dateReserved": "2026-01-22T14:42:24.566Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:44.066Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.3."}, {"lang": "es", "value": "Vulnerabilidad de Falta de Autorizaci\u00f3n en ExpressTech Systems Quiz And Survey Master quiz-master-next permite la explotaci\u00f3n de niveles de seguridad de control de acceso mal configurados. Este problema afecta a Quiz And Survey Master: desde n/a hasta &lt;= 10.3.3."}], "id": "CVE-2026-24358", "lastModified": "2026-04-28T03:16:03.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:39.570", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T17:59:33.808936+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of Quiz And Survey Master that contains the missing authorization fix.", "If an immediate upgrade is not possible, enforce strict access controls: configure the plugin to require authenticated users for all quiz and survey operations and apply role\u2011based restrictions in WordPress for the plugin functionality.", "Deploy a web application firewall or rate\u2011limit rules to block unauthenticated requests targeting quiz\u2011master\u2011next endpoints and monitor logs for unauthorized access attempts."], "summary": {"action": "Patch Now", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All installations of the ExpressTech Systems Quiz And Survey Master WordPress plugin up to and including version 10.3.3 are affected. The reference to n/a in the version range indicates that no earlier version is exempt; therefore any deployment of the plugin in these versions is vulnerable.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows attackers to bypass incorrectly configured access control security levels on ExpressTech Systems Quiz And Survey Master. This missing authorization (CWE\u2011862) gives potentially unauthorized users the ability to perform actions that should be restricted to authenticated or privileged users. The description does not specify the exact actions that become available, but the flaw permits bypassing typical access restrictions within the plugin.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a medium severity, while the EPSS score of less than 1% shows a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The attack vector is likely over the network through the plugin\u2019s HTTP endpoints, as no local-only restrictions are mentioned. Therefore, the threat remains significant if no remediation is applied."}}}}, "created": "2026-01-23T16:28:27.598832+00:00", "updated": "2026-04-28T18:00:14.091594+00:00", "vendors": ["expresstech", "expresstech$PRODUCT$quiz_and_survey_master", "wordpress", "wordpress$PRODUCT$wordpress"]}