HD Quiz 2.2.0 - 2.2.1 - Cross-Site Request Forgery via Multiple AJAX Handlers

Summary

CVE	CVE-2026-13422
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-27 02:16:29 UTC
Updated	2026-06-27 02:16:29 UTC
Description	The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Risk And Classification

Primary CVSS: v3.1 4.3 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Problem Types: CWE-352 | CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`
3.1	CNA	DECLARED	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Harmonic Design	HD Quiz	affected 2.2.0 2.2.1 semver	Not specified

References

Reference	Source	Link	Tags
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.2/includes/functions.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/functions.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/functions.php	[email protected]	plugins.trac.wordpress.org
www.wordfence.com/threat-intel/vulnerabilities/id/c886ce5a-0633-4892-9471-c1a7e...	[email protected]	www.wordfence.com
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.1/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/hd-quiz/tags/2.2.0/includes/actions-ajax.php	[email protected]	plugins.trac.wordpress.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: PRISM (en)

Additional Advisory Data

Source	Time	Event
CNA	2026-06-24T16:48:25.000Z	Vendor Notified
CNA	2026-06-26T12:56:19.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.