CVE-2026-13422
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
The HD Quiz plugin for WordPress versions 2.2.0 to 2.2.1 is vulnerable to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation in the hdq_validate_nonce function. Unauthenticated attackers can exploit this to delete or modify quizzes and questions, create new quizzes, and change plugin settings by tricking a site administrator into performing an action like clicking a link.
Risk Assessment
The risk involves unauthorized modification of quiz content and plugin settings, potentially compromising data integrity and user trust. Attackers could take control of quiz functionality, leading to data leakage or further attacks.
Recommendation
Immediately update the HD Quiz plugin to the latest available version that includes a fix for the CSRF vulnerability. If no update is available, temporarily disable the plugin until a patch is released.
Original NVD description (English source)
The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

