Description
The Quiz Maker plugin for WordPress is vulnerable to SQL Injection via spoofed IP headers in all versions up to, and including, 6.7.0.56 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable in configurations where the server is set up to retrieve the IP from a user-supplied field like `X-Forwarded-For` and limit users by IP is enabled.
Published: 2025-09-17
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection leading to data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Quiz Maker WordPress plugin up to version 6.7.0.56, where insufficient escaping of a user-supplied parameter allows attackers to inject additional SQL queries by spoofing IP‑header fields. Attackers can append malicious statements to existing queries and read sensitive database contents without authentication. The flaw is a classic SQL Injection (CWE‑89).

Affected Systems

Affected systems are installations of the ays‑pro Quiz Maker plugin running on WordPress, specifically versions 6.7.0.56 and earlier. Any WordPress site that employs this plugin and has IP‑based limiting enabled, pulling the client IP from headers such as X‑Forwarded‑For, is susceptible. Higher versions released after 6.7.0.56 contain the fix.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity. The EPSS score of less than 1% reflects a very low likelihood of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalog. Attackers need only to craft a request with a forged IP header to leverage the flaw; no authentication or privileged access is required. The risk is confined to data leakage rather than full system compromise.

Generated by OpenCVE AI on April 22, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quiz Maker plugin to version 6.7.0.57 or later, which removes the vulnerability.
  • Modify server or plugin configuration to disable IP‑based limiting, or ensure that the client IP is obtained only from the trusted network source rather than an untrusted header like X‑Forwarded‑For.
  • Sanitize and validate any user‑supplied IP header fields before using them in database queries, applying strict whitelist checks on IP format.

Generated by OpenCVE AI on April 22, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29690 The Quiz Maker plugin for WordPress is vulnerable to SQL Injection via spoofed IP headers in all versions up to, and including, 6.7.0.56 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable in configurations where the server is set up to retrieve the IP from a user-supplied field like `X-Forwarded-For` and limit users by IP is enabled.
History

Fri, 19 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ays-pro:quiz_maker:*:*:*:*:*:wordpress:*:*

Thu, 18 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro quiz Maker
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro quiz Maker
Wordpress
Wordpress wordpress

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Quiz Maker plugin for WordPress is vulnerable to SQL Injection via spoofed IP headers in all versions up to, and including, 6.7.0.56 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable in configurations where the server is set up to retrieve the IP from a user-supplied field like `X-Forwarded-For` and limit users by IP is enabled.
Title Quiz Maker <= 6.7.0.56 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ays-pro Quiz Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:55.886Z

Reserved: 2025-09-05T17:58:14.606Z

Link: CVE-2025-10042

cve-icon Vulnrichment

Updated: 2025-09-17T12:48:00.482Z

cve-icon NVD

Status : Analyzed

Published: 2025-09-17T06:15:43.030

Modified: 2025-12-19T12:38:54.293

Link: CVE-2025-10042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses