Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.2.4.
Published: 2025-08-14
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL Injection flaw stemming from improper neutralization of special characters used in SQL commands within the ExpressTech Systems Quiz And Survey Master plugin. This weakness, identified as CWE‑89, permits an attacker to inject malicious SQL statements when interacting with the plugin’s input fields. Successful exploitation could allow unauthorized reading, modification, or deletion of database contents, potentially leading to full compromise of the WordPress site's data layer.

Affected Systems

The affected product is ExpressTech Systems Quiz And Survey Master, a WordPress plugin known as quiz‑master‑next. Versions from the initial release through 10.2.4 are vulnerable. WordPress sites running any of these versions should be considered at risk.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog, further implying limited known exploitation. The likely attack vector is via crafted user input to the plugin’s survey or quiz forms, which directly feeds into SQL queries without proper sanitization.

Generated by OpenCVE AI on April 30, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quiz And Survey Master plugin to version 10.2.5 or later.
  • If an immediate upgrade is not possible, restrict access to the plugin’s input endpoints so that only trusted administrators can submit data.
  • Ensure the database user associated with WordPress has the minimal privileges required; remove write rights where they are unnecessary.

Generated by OpenCVE AI on April 30, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24921 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master allows SQL Injection. This issue affects Quiz And Survey Master: from n/a through 10.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master allows SQL Injection. This issue affects Quiz And Survey Master: from n/a through 10.2.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.2.4.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress
Vendors & Products Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master allows SQL Injection. This issue affects Quiz And Survey Master: from n/a through 10.2.4.
Title WordPress Quiz And Survey Master Plugin <= 10.2.4 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Expresstech Quiz And Survey Master
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.171Z

Reserved: 2025-08-14T09:10:30.442Z

Link: CVE-2025-55708

cve-icon Vulnrichment

Updated: 2025-08-15T12:53:35.512Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T19:15:42.677

Modified: 2026-04-23T15:32:56.057

Link: CVE-2025-55708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:30:27Z

Weaknesses