Description
Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication.
Published: 2026-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access and Authentication Bypass
Action: Apply Mitigation
AI Analysis

Impact

Online Quiz Maker 1.0 includes SQL injection vulnerabilities in the catid and usern parameters that let authenticated attackers send crafted POST requests to quiz-system.php or add-category.php. By injecting malicious SQL, an attacker can read or modify the database, extract sensitive information, or bypass authentication controls. This can compromise confidentiality and integrity of the quiz content and user data.

Affected Systems

The vulnerability affects Hscripts' Online Quiz Maker 1.0. No specific version extensions are noted beyond the base release, and no additional vendors are listed.

Risk and Exploitability

The CVSS score of 7.1 indicates high impact, but the EPSS score is unavailable, making it unclear how frequently this flaw is exploited in the wild. The flaw is not listed in CISA’s KEV catalog. The attack vector is web‑based; an attacker must be authenticated to the application and can submit malicious POST payloads. Given the lack of public exploitation and the need for authentication, the likelihood is moderate, but the potential damage if exploited is significant.

Generated by OpenCVE AI on March 26, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that user authentication is required before processing catid or usern parameters.
  • Replace vulnerable SQL query construction with parameterized statements or prepared statements to eliminate injection risk.
  • Validate or sanitize all POST input values, ensuring they match expected formats and lengths.
  • Restrict database user permissions to the minimum necessary privileges for the application.
  • Apply any vendor‑released patch or updated version when it becomes available.
  • Monitor application logs for anomalous SQL activity or repeated injection attempts.

Generated by OpenCVE AI on March 26, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hscripts
Hscripts online Quiz Maker
Vendors & Products Hscripts
Hscripts online Quiz Maker

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication.
Title Online Quiz Maker 1.0 SQL Injection via catid Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hscripts Online Quiz Maker
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T13:00:10.011Z

Reserved: 2026-03-26T11:33:48.528Z

Link: CVE-2018-25207

cve-icon Vulnrichment

Updated: 2026-03-26T12:59:42.965Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T12:16:05.847

Modified: 2026-03-26T15:13:15.790

Link: CVE-2018-25207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T08:36:03Z

Weaknesses