Description
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-01-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data exposure via authenticated SQL injection
Action: Patch
AI Analysis

Impact

The vulnerability in the Quiz and Survey Master plug‑in permits time‑based SQL injection through the is_linking query parameter. Because the input is not escaped and the existing SQL statement is not properly parameterized, an attacker with at least Subscriber level access can inject additional SQL code. This flaw enables the attacker to run arbitrary queries against the WordPress database, potentially leaking sensitive information. The weakness is a classic SQL injection, categorized as CWE‑89.

Affected Systems

The affected product is the expresstech Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plug‑in for WordPress. All releases up to and including version 10.3.1 are vulnerable. Administrators should verify which version is installed on their sites and plan to update beyond 10.3.1.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate level of severity, but the EPSS score of less than 1% suggests a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Subscriber or higher role and involves sending crafted HTTP requests to the plug‑in’s endpoint that processes the is_linking parameter. Because the attack vector is internal, the risk is limited to sites where an attacker can elevate to the required user level; however, once achieved, the data extraction capability is extensive.

Generated by OpenCVE AI on April 20, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quiz and Survey Master plug‑in to the latest available version (10.3.2 or newer) once released.
  • If an immediate upgrade is not possible, remove or restrict Subscriber and higher roles from accessing the plug‑in’s API endpoints that accept the is_linking parameter by adjusting role capabilities or using a security plugin to block the endpoint.
  • Configure a web application firewall or similar sanitizing filter to validate the is_linking parameter, ensuring that only accepted values are allowed and to escape any injected SQL patterns.

Generated by OpenCVE AI on April 20, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:*

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress
Vendors & Products Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Quiz and Survey Master (QSM) <= 10.3.1 - Authenticated (Subscriber+) SQL Injection via `is_linking` Query Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Expresstech Quiz And Survey Master
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:10.903Z

Reserved: 2025-08-21T13:25:19.701Z

Link: CVE-2025-9318

cve-icon Vulnrichment

Updated: 2026-01-06T14:01:00.087Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T10:15:48.780

Modified: 2026-01-09T13:24:30.493

Link: CVE-2025-9318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses