Over 40,000 WordPress sites utilizing the Quiz and Survey Master (QSM) plugin have fallen prey to an SQL injection vulnerability, which empowered authenticated users to manipulate database queries with alarming ease.
This flaw, prevalent in versions 10.3.1 and earlier, could be exploited by any user with at least Subscriber-level access, thereby amplifying the potential for unauthorized data exposure.
Quiz and Survey Master is a popular tool for crafting quizzes, surveys, and forms. Its comprehensive feature set, including multimedia support and an intuitive drag-and-drop builder, has fostered a robust installation base.
Crucially, the vulnerability did not necessitate administrative privileges, which significantly broadened the spectrum of accounts that could potentially exploit this vulnerability.
Mechanics of the Vulnerability and Its Impact on Database Security
The vulnerability resided in a REST API function responsible for fetching quiz question data. A request parameter identified as is_linking was erroneously treated as a numeric identifier and was inserted into a database query without adequate validation.
It was devoid of any sanitization before being concatenated with other question IDs, subsequently executed as part of an SQL command.
This fallacious approach enabled a nefarious user to introduce specially designed input that could contain additional SQL commands.
Because the query was not constructed utilizing a prepared statement, the database processed the injected input as integral to the query, thus paving the way for potential data exfiltration and unwarranted actions.
For more insights on WordPress plugin security, refer to: Critical WordPress Plugin Bugs Exploited En Masse.
The vulnerability has been designated as CVE-2025-67987. Although no evidence suggests the flaw was actively exploited, its existence underscores the dangers of relying on request data, even when it is not meant to be directly manipulated by end users.
Patching Response Following Ethical Disclosure
In an advisory released last week, Patchstack announced that the vulnerability had been rectified in Quiz and Survey Master version 10.3.2.
The update mitigates the risk by mandating that the is_linking parameter be converted into an integer using the intval function, ensuring that only numeric values are processed in the database query.
This flaw was identified and reported by Doan Dinh Van, a member of the Patchstack Alliance community.
Patchstack received the vulnerability report on November 21, 2025, promptly informing the plugin vendor. The patched version was rolled out on December 4, 2025, with the advisory subsequently made public in late January 2026.
This incident serves as a salient reminder of the necessity for input validation and the prudent use of prepared statements in database query management within WordPress plugins.
Source link: Infosecurity-magazine.com.
