{"id":34541,"date":"2026-01-07T16:40:57","date_gmt":"2026-01-07T16:40:57","guid":{"rendered":"http:\/\/localhost\/?p=34541"},"modified":"2026-01-07T16:40:57","modified_gmt":"2026-01-07T16:40:57","slug":"wordpress-chained-quiz-135-insecure-direct-object-reference","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=34541","title":{"rendered":"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575"},"content":{"rendered":"

{“lastseen”:”2026-01-07T21:45:35″,”description”:”WordPress Chained Quiz plugin versions 1.3.5 and below appear to suffer from an insecure direct object reference. The issue was partially patched in versions 1.3.4 and 1.3.5…”,”published”:”2026-01-07T00:00:00″,”modified”:”2026-01-07T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference”,”source”:””,”references”:””,”id”:”PACKETSTORM:213575″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-10493″],”sourceData”:”# Exploit Title: Chained Quiz 1.3.5 – Unauthenticated Insecure Direct Object Reference via Cookie\\n # Date: 19-12-2025\\n # Exploit Author: Karuppiah Sabari Kumar(0xsabre)\\n # Vendor Homepage: https:\/\/wordpress.org\/plugins\/chained-quiz\/\\n # Software Link: https:\/\/downloads.wordpress.org\/plugin\/chained-quiz.1.3.3.zip\\n # Version: \\u003c= 1.3.3\\n # Tested on: WordPress \/ Linux\\n # CVE: CVE-2025-10493\\n \\n ————————————————————\\n \\n ## Vulnerability Type\\n Insecure Direct Object Reference (IDOR) \/ Improper Authorization\\n \\n ————————————————————\\n \\n ## Description\\n The Chained Quiz plugin stores each quiz attempt using a predictable,\\n auto-incrementing database ID (completion_id) and exposes this value\\n directly in a client-side cookie named:\\n \\n chained_completion_id\\u003cquiz_id\\u003e\\n \\n When submitting or re-submitting quiz answers via admin-ajax.php, the\\n server updates the quiz attempt record based solely on this cookie value,\\n without verifying that the attempt belongs to the currently authenticated\\n user.\\n \\n No authentication is required to exploit this vulnerability when the\\n plugin is used with default settings.\\n \\n The server retrieves the quiz attempt directly using the completion_id\\n from the cookie and performs an UPDATE query without verifying ownership.\\n \\n As a result, an attacker can hijack or tamper with other users\u2019 quiz\\n attempts by guessing or enumerating valid completion_id values and\\n replaying answer submissions.\\n \\n ————————————————————\\n \\n ## Affected Component\\n Quiz submission and results handling functionality via admin-ajax.php\\n \\n ————————————————————\\n \\n ## Proof of Concept (PoC)\\n \\n ### Step 1: Victim user submission\\n A user completes a quiz. The submission is stored using a completion ID\\n and associated with the user\u2019s session via a cookie, for example:\\n \\n chained_completion_id1=2\\n \\n ————————————————————\\n \\n ### Step 2: Attacker interception\\n The attacker completes the same quiz and intercepts their own submission\\n request using a proxy or browser developer tools.\\n \\n Example request:\\n \\n POST \/wp-admin\/admin-ajax.php HTTP\/1.1\\n Host: localhost\\n Cookie: chained_completion_id1=1\\n Connection: keep-alive\\n Content-Type: application\/x-www-form-urlencoded\\n \\n answer=0\\u0026question_id=1\\u0026quiz_id=1\\u0026post_id=117\\u0026question_type=radio\\u0026points=0\\u0026action=chainedquiz_ajax\\u0026chainedquiz_action=answer\\u0026total_questions=1\\n \\n ————————————————————\\n \\n ### Step 3: Tampering\\n The attacker modifies the cookie value to match another user\u2019s quiz\\n attempt, for example:\\n \\n chained_completion_id1=2\\n \\n The attacker may also modify parameters such as \\”answer\\” or \\”points\\” to\\n manipulate quiz responses or scores.\\n \\n The modified request is then sent to the server.\\n \\n ————————————————————\\n \\n ### Step 4: Result\\n The server overwrites the victim user\u2019s quiz submission, including answers\\n and points, without validating ownership of the completion ID.\\n \\n ————————————————————\\n \\n ## Impact\\n An attacker can arbitrarily modify quiz answers, scores, or results\\n belonging to other users. This results in an integrity violation of quiz\\n data and allows unauthorized manipulation of finalized quiz attempts.\\n In environments where quiz results are used for assessments, leaderboards,\\n or certificates, this can undermine trust in the platform and affect any\\n downstream integrations that rely on quiz completion data.\\n \\n ————————————————————\\n \\n ## CWE\\n – CWE-639: Authorization Bypass Through User-Controlled Key\\n – CWE-285: Improper Authorization\\n \\n ————————————————————“,”sourceHref”:”https:\/\/packetstorm.news\/download\/213575″,”cvss”:{“score”:5.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213575\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-01-07T21:45:35″,”description”:”WordPress Chained Quiz plugin versions 1.3.5 and below appear to suffer from an insecure direct object reference. The issue was partially patched in versions 1.3.4…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,22,12,21,13,53,7,11,5],"class_list":["post-34541","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-53","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=34541\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-01-07T21:45:35″,”description”:”WordPress Chained Quiz plugin versions 1.3.5 and below appear to suffer from an insecure direct object reference. The issue was partially patched in versions 1.3.4...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=34541\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-07T16:40:57+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34541#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34541\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575\",\"datePublished\":\"2026-01-07T16:40:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34541\"},\"wordCount\":706,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-5.3\",\"exploit\",\"MEDIUM\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=34541#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34541\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34541\",\"name\":\"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-01-07T16:40:57+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34541#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=34541\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34541#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=34541","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575 - zero redgem","og_description":"{“lastseen”:”2026-01-07T21:45:35″,”description”:”WordPress Chained Quiz plugin versions 1.3.5 and below appear to suffer from an insecure direct object reference. The issue was partially patched in versions 1.3.4...","og_url":"https:\/\/zero.redgem.net\/?p=34541","og_site_name":"zero redgem","article_published_time":"2026-01-07T16:40:57+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=34541#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=34541"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575","datePublished":"2026-01-07T16:40:57+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=34541"},"wordCount":706,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-5.3","exploit","MEDIUM","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=34541#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=34541","url":"https:\/\/zero.redgem.net\/?p=34541","name":"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-01-07T16:40:57+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=34541#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=34541"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=34541#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference_PACKETSTORM:213575"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/34541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=34541"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/34541\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=34541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=34541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=34541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}