{"id":"CVE-2026-10623","summary":"PressPrimer Quiz \u003c= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification via 'quiz_id', 'item_id', and 'rule_id' Parameters","details":"The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'rule_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with custom-level access and above, to modify or delete quiz rules belonging to other teachers, resulting in unauthorized tampering of another user's quiz structure.","modified":"2026-07-08T07:32:28.001010557Z","published":"2026-06-18T05:34:24.522Z","database_specific":{"cwe_ids":["CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10623.json","cna_assigner":"Wordfence"},"references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.1.0/includes/api/class-ppq-rest-controller.php#L1703"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.1.0/includes/api/class-ppq-rest-controller.php#L1786"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.1.0/includes/api/class-ppq-rest-controller.php#L1813"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.1.0/includes/api/class-ppq-rest-controller.php#L1860"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.1.0/includes/api/class-ppq-rest-controller.php#L1923"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.1.0/includes/api/class-ppq-rest-controller.php#L1963"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.1.0/includes/api/class-ppq-rest-controller.php#L434"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.2.2/includes/api/class-ppq-rest-controller.php#L1703"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.2.2/includes/api/class-ppq-rest-controller.php#L1786"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.2.2/includes/api/class-ppq-rest-controller.php#L1813"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.2.2/includes/api/class-ppq-rest-controller.php#L1860"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.2.2/includes/api/class-ppq-rest-controller.php#L1923"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.2.2/includes/api/class-ppq-rest-controller.php#L1963"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/pressprimer-quiz/tags/2.2.2/includes/api/class-ppq-rest-controller.php#L434"},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/150ac796-d77b-4915-8bbf-9f9b54be8eaf?source=cve"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10623.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10623"},{"type":"FIX","url":"https://github.com/PressPrimer/pressprimer-quiz/commit/1795687"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pressprimer/pressprimer-quiz","events":[{"introduced":"0"},{"fixed":"1795687"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"last_affected":"2.3.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10623.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}