WordPress Plugin Vulnerabilities

Quiz and Survey Master (QSM) < 11.0.0 - Authenticated (Contributor+) SQL Injection via 'merged_question' Parameter

Description

The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affects Plugins

Plugin icon
quiz-master-next
Fixed in 11.0.0

References

CVE
CVE-2026-2412
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b32bf1cb-3722-41fc-be51-dabe80416b14

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.9 (Medium)

Miscellaneous

Original Researcher
d.v4n_s3c
Verified
No
WPVDB ID
c28e5b4c-3037-4bbb-a8da-d5c11625e861

Timeline

Publicly Published
2026-03-23 (about 3 months ago)
Added
2026-03-23 (about 3 months ago)
Last Updated
2026-03-23 (about 3 months ago)

Other

Published
Title
Published
2024-07-09
Title
PayPlus Payment Gateway < 7.0.8 - Authenticated (Subscriber+) SQL Injection
Published
2014-08-01
Title
WP Easy Gallery 2.7 - admin/add-images.php Multiple Parameter SQL Injection
Published
2015-02-12
Title
WordPress Survey & Poll < 1.1.91 - Blind SQL Injection
Published
2015-04-23
Title
Ultimate Product Catalogue <= 3.1.2 - Unauthenticated SQL Injection
Published
2023-11-28
Title
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs/send_mail endpoint