{"id":32859,"date":"2025-12-25T15:57:11","date_gmt":"2025-12-25T15:57:11","guid":{"rendered":"http:\/\/localhost\/?p=32859"},"modified":"2025-12-25T15:57:11","modified_gmt":"2025-12-25T15:57:11","slug":"chained-quiz-135-unauthenticated-insecure-direct-object-reference-via-cookie","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=32859","title":{"rendered":"Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464"},"content":{"rendered":"

{“lastseen”:”2025-12-25T20:46:49″,”description”:”Exploit Title: Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie Date: 19-12-2025 Exploit Author: Karuppiah Sabari Kumar0xsabre Vendor Homepage: https:\/\/wordpress.org\/plugins\/chained-quiz\/ Software Link:…”,”published”:”2025-12-25T00:00:00″,”modified”:”2025-12-25T00:00:00″,”type”:”exploitdb”,”title”:”Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie”,”source”:””,”references”:””,”id”:”EDB-ID:52464″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-10493″],”sourceData”:”# Exploit Title: Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie\\r\\n# Date: 19-12-2025\\r\\n# Exploit Author: Karuppiah Sabari Kumar(0xsabre)\\r\\n# Vendor Homepage: https:\/\/wordpress.org\/plugins\/chained-quiz\/\\r\\n# Software Link: https:\/\/downloads.wordpress.org\/plugin\/chained-quiz.1.3.3.zip\\r\\n# Version: \\u003c= 1.3.3\\r\\n# Tested on: WordPress \/ Linux\\r\\n# CVE: CVE-2025-10493\\r\\n\\r\\n————————————————————\\r\\n\\r\\n## Vulnerability Type\\r\\nInsecure Direct Object Reference (IDOR) \/ Improper Authorization\\r\\n\\r\\n————————————————————\\r\\n\\r\\n## Description\\r\\nThe Chained Quiz plugin stores each quiz attempt using a predictable,\\r\\nauto-incrementing database ID (completion_id) and exposes this value\\r\\ndirectly in a client-side cookie named:\\r\\n\\r\\n chained_completion_id\\u003cquiz_id\\u003e\\r\\n\\r\\nWhen submitting or re-submitting quiz answers via admin-ajax.php, the\\r\\nserver updates the quiz attempt record based solely on this cookie value,\\r\\nwithout verifying that the attempt belongs to the currently authenticated\\r\\nuser.\\r\\n\\r\\nNo authentication is required to exploit this vulnerability when the\\r\\nplugin is used with default settings.\\r\\n\\r\\nThe server retrieves the quiz attempt directly using the completion_id\\r\\nfrom the cookie and performs an UPDATE query without verifying ownership.\\r\\n\\r\\nAs a result, an attacker can hijack or tamper with other users\u2019 quiz\\r\\nattempts by guessing or enumerating valid completion_id values and\\r\\nreplaying answer submissions.\\r\\n\\r\\n————————————————————\\r\\n\\r\\n## Affected Component\\r\\nQuiz submission and results handling functionality via admin-ajax.php\\r\\n\\r\\n————————————————————\\r\\n\\r\\n## Proof of Concept (PoC)\\r\\n\\r\\n### Step 1: Victim user submission\\r\\nA user completes a quiz. The submission is stored using a completion ID\\r\\nand associated with the user\u2019s session via a cookie, for example:\\r\\n\\r\\n chained_completion_id1=2\\r\\n\\r\\n————————————————————\\r\\n\\r\\n### Step 2: Attacker interception\\r\\nThe attacker completes the same quiz and intercepts their own submission\\r\\nrequest using a proxy or browser developer tools.\\r\\n\\r\\nExample request:\\r\\n\\r\\nPOST \/wp-admin\/admin-ajax.php HTTP\/1.1\\r\\nHost: localhost\\r\\nCookie: chained_completion_id1=1\\r\\nConnection: keep-alive\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\n\\r\\nanswer=0\\u0026question_id=1\\u0026quiz_id=1\\u0026post_id=117\\u0026question_type=radio\\u0026points=0\\u0026action=chainedquiz_ajax\\u0026chainedquiz_action=answer\\u0026total_questions=1\\r\\n\\r\\n————————————————————\\r\\n\\r\\n### Step 3: Tampering\\r\\nThe attacker modifies the cookie value to match another user\u2019s quiz\\r\\nattempt, for example:\\r\\n\\r\\n chained_completion_id1=2\\r\\n\\r\\nThe attacker may also modify parameters such as \\”answer\\” or \\”points\\” to\\r\\nmanipulate quiz responses or scores.\\r\\n\\r\\nThe modified request is then sent to the server.\\r\\n\\r\\n————————————————————\\r\\n\\r\\n### Step 4: Result\\r\\nThe server overwrites the victim user\u2019s quiz submission, including answers\\r\\nand points, without validating ownership of the completion ID.\\r\\n\\r\\n————————————————————\\r\\n\\r\\n## Impact\\r\\nAn attacker can arbitrarily modify quiz answers, scores, or results\\r\\nbelonging to other users. This results in an integrity violation of quiz\\r\\ndata and allows unauthorized manipulation of finalized quiz attempts.\\r\\nIn environments where quiz results are used for assessments, leaderboards,\\r\\nor certificates, this can undermine trust in the platform and affect any\\r\\ndownstream integrations that rely on quiz completion data.\\r\\n\\r\\n————————————————————\\r\\n\\r\\n## CWE\\r\\n- CWE-639: Authorization Bypass Through User-Controlled Key\\r\\n- CWE-285: Improper Authorization\\r\\n\\r\\n————————————————————“,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52464″,”cvss”:{“score”:5.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52464″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-25T20:46:49″,”description”:”Exploit Title: Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie Date: 19-12-2025 Exploit Author: Karuppiah Sabari Kumar0xsabre Vendor Homepage: https:\/\/wordpress.org\/plugins\/chained-quiz\/ Software Link:…”,”published”:”2025-12-25T00:00:00″,”modified”:”2025-12-25T00:00:00″,”type”:”exploitdb”,”title”:”Chained…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,22,12,40,21,13,7,11,5],"class_list":["post-32859","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-53","tag-exploit","tag-exploitdb","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nChained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=32859\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-25T20:46:49″,”description”:”Exploit Title: Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie Date: 19-12-2025 Exploit Author: Karuppiah Sabari Kumar0xsabre Vendor Homepage: https:\/\/wordpress.org\/plugins\/chained-quiz\/ Software Link:…”,”published”:”2025-12-25T00:00:00″,”modified”:”2025-12-25T00:00:00″,”type”:”exploitdb”,”title”:”Chained...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=32859\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-25T15:57:11+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32859#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32859\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464\",\"datePublished\":\"2025-12-25T15:57:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32859\"},\"wordCount\":771,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-5.3\",\"exploit\",\"exploitdb\",\"MEDIUM\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32859#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32859\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32859\",\"name\":\"Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-25T15:57:11+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32859#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32859\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32859#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=32859","og_locale":"en_US","og_type":"article","og_title":"Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464 - zero redgem","og_description":"{“lastseen”:”2025-12-25T20:46:49″,”description”:”Exploit Title: Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie Date: 19-12-2025 Exploit Author: Karuppiah Sabari Kumar0xsabre Vendor Homepage: https:\/\/wordpress.org\/plugins\/chained-quiz\/ Software Link:…”,”published”:”2025-12-25T00:00:00″,”modified”:”2025-12-25T00:00:00″,”type”:”exploitdb”,”title”:”Chained...","og_url":"https:\/\/zero.redgem.net\/?p=32859","og_site_name":"zero redgem","article_published_time":"2025-12-25T15:57:11+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=32859#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=32859"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464","datePublished":"2025-12-25T15:57:11+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=32859"},"wordCount":771,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-5.3","exploit","exploitdb","MEDIUM","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=32859#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=32859","url":"https:\/\/zero.redgem.net\/?p=32859","name":"Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-25T15:57:11+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=32859#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=32859"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=32859#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie_EDB-ID:52464"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32859","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32859"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32859\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}