Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.3.1.
Published: 2026-02-20
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection – potential data loss and site compromise
Action: Patch Immediately
AI Analysis

Impact

A flaw in ExpressTech Systems' Quiz And Survey Master WordPress plugin permits attackers to inject SQL commands by sending unsanitized data to the database. This weakness can compromise the confidentiality and integrity of the site’s database, allowing attackers to read, modify, or delete survey data and potentially other WordPress content. The misuse of special elements in SQL statements is the classic manifestation of CWE‑89.

Affected Systems

All releases of the ExpressTech Systems Quiz And Survey Master plugin up to version 10.3.1 are affected. This includes the default WordPress installation and any site that has not updated beyond that version.

Risk and Exploitability

The flaw has a CVSS score of 8.5, indicating high severity, but its EPSS score is below 1%, suggesting that exploitation is presently uncommon. The vulnerability is not listed in the CISA KEV catalog. An attacker would likely use the plugin’s input forms—such as quiz question or answer fields—to supply crafted SQL payloads. Once the injection succeeds, the attacker could read or modify the plugin’s database tables, potentially leaking or altering survey results and other site data.

Generated by OpenCVE AI on April 27, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quiz And Survey Master plugin to the latest available version, which removes the vulnerable code path.
  • Configure the plugin or WordPress to enforce strict input validation; if custom code is used, replace concatenated SQL queries with prepared statements.
  • Implement a web application firewall rule that flags and blocks common SQL injection patterns targeting the plugin’s endpoints and monitor database logs for suspicious queries.

Generated by OpenCVE AI on April 27, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress
Vendors & Products Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.3.1.
Title WordPress Quiz And Survey Master plugin <= 10.3.1 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Expresstech Quiz And Survey Master
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:31:57.133Z

Reserved: 2025-12-15T10:00:33.670Z

Link: CVE-2025-67987

cve-icon Vulnrichment

Updated: 2026-02-24T19:19:44.736Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:04.837

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:00:13Z

Weaknesses