WordPress Plugin Vulnerabilities

Quiz and Survey Master (QSM) < 11.1.1 - Unauthenticated Shortcode Injection

Description

The plugin is vulnerable to Arbitrary Shortcode Executiondue to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_text_field() and htmlspecialchars(), which only strip HTML tags but do not encode or remove shortcode brackets [ and ]. When quiz results are displayed, the plugin calls do_shortcode() on the entire results page output (including user answers), causing any injected shortcodes to be executed. This makes it possible for unauthenticated attackers to inject arbitrary WordPress shortcodes such as [qsm_result id=X] to access other users' quiz submissions without authorization, as the qsm_result shortcode lacks any authorization checks.

Affects Plugins

Plugin icon
quiz-master-next
Fixed in 11.1.1

References

CVE
CVE-2026-5797
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f2aa33cc-c1c4-42d4-9c2f-54648426ee4b

Classification

Type
INJECTION
OWASP top 10
A1: Injection
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
4f92b5cd-0040-48dd-a2fe-c714fa727a37

Timeline

Publicly Published
2026-04-16 (about 2 months ago)
Added
2026-04-16 (about 2 months ago)
Last Updated
2026-04-16 (about 2 months ago)

Other

Published
Title
Published
2017-06-21
Title
Email Before Download < 4.0 - SMTP Header Injection
Published
2022-06-20
Title
WooCommerce < 6.6.0 - Admin+ Stored HTML Injection
Published
2020-10-01
Title
Multiple Themes - Unauthenticated Function Injection
Published
2024-08-27
Title
Relevanssi Live Ajax Search < 2.5 - Unauthenticated WP_Query Argument Injection
Published
2020-03-16
Title
Newsletter < 6.5.4 - CSV Injection