PatchSiren cyber security CVE debrief
CVE-2026-13422 harmonic_design CVE debrief
The HD Quiz plugin for WordPress, versions 2.2.0 to 2.2.1, is vulnerable to Cross-Site Request Forgery (CSRF). This vulnerability stems from missing or incorrect nonce validation in the hdq_validate_nonce function. Successful exploitation allows unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings by tricking site administrators into performing actions such as clicking on a link. The vulnerability has a CVSS score of 4.3, indicating a medium severity level. The CVE was published on June 27, 2026, and last modified on June 29, 2026.
- Vendor
- harmonic_design
- Product
- HD Quiz
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-27
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-27
- Advisory updated
- 2026-06-29
Who should care
Site administrators and users of the HD Quiz plugin for WordPress should be aware of this vulnerability, especially if they are using versions 2.2.0 to 2.2.1. Developers and security teams responsible for maintaining WordPress installations with this plugin should prioritize updating to a patched version or applying mitigations.
Technical summary
The HD Quiz plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) attacks due to inadequate nonce validation in versions 2.2.0 through 2.2.1. Specifically, the hdq_validate_nonce function fails to properly validate nonces, allowing attackers to forge requests. This could lead to unauthorized actions such as quiz and question deletion or modification, creation of new quizzes, and changes to plugin settings. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, reflecting a medium severity with a score of 4.3. The CWE associated with this vulnerability is CWE-352, Cross-Site Request Forgery.
Defensive priority
Given the medium severity and potential impact, defenders should prioritize patching or mitigating this vulnerability. Immediate action is recommended for sites using affected versions of the HD Quiz plugin.
Recommended defensive actions
- Update the HD Quiz plugin to a version that fixes the CSRF vulnerability.
- Implement additional monitoring for suspicious requests that could indicate attempted exploitation.
- Educate site administrators on the risks of clicking on links from untrusted sources.
- Consider applying compensating controls such as Web Application Firewalls (WAFs) to detect and prevent CSRF attacks.
- Regularly review and update plugins and themes to ensure all components are current and patched.
Evidence notes
The CVE and NVD provide official details on the vulnerability. The Wordfence security team discovered and reported this issue, offering insights into the vulnerability's nature and potential impacts. The CVE record and NVD detail offer comprehensive information on the vulnerability, including its CVSS score and vector.
Official resources
This article is AI-assisted and based on the supplied source corpus.