CVE-2026-10623 pressprimer CVE debrief

Who should care

Administrators and users of the PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin for WordPress, especially those with custom-level access and above, should be aware of this vulnerability. Additionally, educators and institutions using the plugin for quiz management should prioritize updating the plugin to prevent potential misuse.

Technical summary

The PressPrimer Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) in all versions up to and including 2.3.0. The vulnerability is caused by missing validation on the 'rule_id' parameter, which is user-controlled. This allows authenticated attackers with custom-level access and above to modify or delete quiz rules belonging to other teachers. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating a Medium severity with a score of 4.3. The CWE associated with this vulnerability is CWE-639.

Defensive priority

High

Recommended defensive actions

• Update the PressPrimer Quiz plugin to a version beyond 2.3.0 as soon as possible.
• Restrict access to the plugin's quiz management features to trusted users only.
• Implement additional monitoring to detect and respond to potential unauthorized changes to quiz rules.
• Consider using a Web Application Firewall (WAF) to help detect and prevent exploitation attempts.
• Regularly review and update user access levels and permissions within the plugin.
• Educate users with custom-level access and above about the importance of secure quiz management practices.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Wordfence security research. The CVE record and NVD detail pages provide official information about the vulnerability. Additional references from Wordfence offer further context and technical details about the vulnerability.

Official resources