Over 40,000 WordPress Sites Hit by New Malware Vulnerability

Over 40,000 WordPress Websites Impacted by New Malware Vulnerability – Check if You’re at Risk

Last updated on February 5, 2026February 5, 2026 by RS Web Solutions on Categories WordPress

Table of Contents

An SQL Injection Vulnerability Identified in QSM Plugin

Versions 10.3.1 and prior of the QSM plugin are susceptible to an SQL injection flaw.
This vulnerability permits logged-in users with account privileges (Subscriber or higher) to access sensitive database information.
WordPress administrators are urged to update QSM to version 10.3.2 or later to mitigate potential risks.

If your website employs the Quiz and Survey Master (QSM) WordPress plugin, it is imperative to update to the latest version immediately to avert potential cyberthreats.

The QSM plugin, designed for creating quizzes, surveys, and forms sans coding, boasts over 40,000 active users. However, it has been revealed that versions 10.3.1 and earlier contain a critical SQL injection flaw, enabling any authenticated user to introduce commands into the database.

A security advisory from Patchstack highlighted that this vulnerability allows any user holding a “subscriber” status, or those with superior permissions, to carry out a multitude of unauthorized actions on affected websites, including exfiltration of confidential data.

Extent of Vulnerable Websites

Users are strongly recommended to upgrade to the latest version without delay; currently, version 10.3.5 is available on the official WordPress.org site.

Regrettably, quantifying the exact number of patched versus vulnerable websites remains elusive. Current statistics indicate that approximately 52.1% of users are operating on version 10.3, suggesting that a minimum of 47.9%—equating to 19,160 sites—are undoubtedly at risk. Among the remaining 39,980 sites, some may also be utilizing the affected version 10.3.1.

At present, there is no indication that this flaw has been exploited in the wild. Nevertheless, given its widespread use, it is prudent to consider that malicious actors may soon begin scanning for sites utilizing the QSM plugin. This vulnerability is cataloged under CVE-2025-67987 and has been rectified in version 10.3.2.

Hackers Use Covert Malware to Access Admin Controls on WordPress Websites

As a standard best practice, WordPress users should consistently ensure their website builder platforms, along with any plugins and themes in use, are kept up to date. Additionally, cybersecurity experts recommend completely removing any inactive plugins and themes from servers.

Source link: Techradar.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

RS Web Solutions

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.