惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
博客园_首页
H
Help Net Security
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
GbyAI
GbyAI
Scott Helme
Scott Helme
D
Docker
Hacker News: Ask HN
Hacker News: Ask HN
P
Privacy & Cybersecurity Law Blog
Jina AI
Jina AI
雷峰网
雷峰网
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Spread Privacy
Spread Privacy
G
GRAHAM CLULEY
C
Cisco Blogs
The Hacker News
The Hacker News
F
Full Disclosure
Y
Y Combinator Blog
Blog — PlanetScale
Blog — PlanetScale
Recent Announcements
Recent Announcements
G
Google Developers Blog
量子位
K
Kaspersky official blog
Cisco Talos Blog
Cisco Talos Blog
The Cloudflare Blog
A
About on SuperTechFans
C
Cybersecurity and Infrastructure Security Agency CISA
Last Week in AI
Last Week in AI
博客园 - 三生石上(FineUI控件)
Microsoft Security Blog
Microsoft Security Blog
Martin Fowler
Martin Fowler
T
Tenable Blog
P
Palo Alto Networks Blog
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
Schneier on Security
Schneier on Security
The Register - Security
The Register - Security
F
Fortinet All Blogs
Stack Overflow Blog
Stack Overflow Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
The Blog of Author Tim Ferriss
N
News and Events Feed by Topic
Hugging Face - Blog
Hugging Face - Blog
小众软件
小众软件
V
V2EX
爱范儿
爱范儿

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
0xsabre · 2025-12-25 · via Exploit-DB.com RSS Feed
# Exploit Title: Chained Quiz  1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
# Date: 19-12-2025
# Exploit Author: Karuppiah Sabari Kumar(0xsabre)
# Vendor Homepage: https://wordpress.org/plugins/chained-quiz/
# Software Link: https://downloads.wordpress.org/plugin/chained-quiz.1.3.3.zip
# Version: <= 1.3.3
# Tested on: WordPress / Linux
# CVE: CVE-2025-10493

------------------------------------------------------------

## Vulnerability Type
Insecure Direct Object Reference (IDOR) / Improper Authorization

------------------------------------------------------------

## Description
The Chained Quiz plugin stores each quiz attempt using a predictable,
auto-incrementing database ID (completion_id) and exposes this value
directly in a client-side cookie named:

    chained_completion_id<quiz_id>

When submitting or re-submitting quiz answers via admin-ajax.php, the
server updates the quiz attempt record based solely on this cookie value,
without verifying that the attempt belongs to the currently authenticated
user.

No authentication is required to exploit this vulnerability when the
plugin is used with default settings.

The server retrieves the quiz attempt directly using the completion_id
from the cookie and performs an UPDATE query without verifying ownership.

As a result, an attacker can hijack or tamper with other users’ quiz
attempts by guessing or enumerating valid completion_id values and
replaying answer submissions.

------------------------------------------------------------

## Affected Component
Quiz submission and results handling functionality via admin-ajax.php

------------------------------------------------------------

## Proof of Concept (PoC)

### Step 1: Victim user submission
A user completes a quiz. The submission is stored using a completion ID
and associated with the user’s session via a cookie, for example:

    chained_completion_id1=2

------------------------------------------------------------

### Step 2: Attacker interception
The attacker completes the same quiz and intercepts their own submission
request using a proxy or browser developer tools.

Example request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Cookie: chained_completion_id1=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded

answer=0&question_id=1&quiz_id=1&post_id=117&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1

------------------------------------------------------------

### Step 3: Tampering
The attacker modifies the cookie value to match another user’s quiz
attempt, for example:

    chained_completion_id1=2

The attacker may also modify parameters such as "answer" or "points" to
manipulate quiz responses or scores.

The modified request is then sent to the server.

------------------------------------------------------------

### Step 4: Result
The server overwrites the victim user’s quiz submission, including answers
and points, without validating ownership of the completion ID.

------------------------------------------------------------

## Impact
An attacker can arbitrarily modify quiz answers, scores, or results
belonging to other users. This results in an integrity violation of quiz
data and allows unauthorized manipulation of finalized quiz attempts.
In environments where quiz results are used for assessments, leaderboards,
or certificates, this can undermine trust in the platform and affect any
downstream integrations that rely on quiz completion data.

------------------------------------------------------------

## CWE
- CWE-639: Authorization Bypass Through User-Controlled Key
- CWE-285: Improper Authorization

------------------------------------------------------------