Description
The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection that can expose database content
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the Quiz and Survey Master plugin allows an authenticated user with Contributor or higher permissions to inject arbitrary SQL through the merged_question parameter. The lack of proper escaping or prepared statements permits inclusion of SQL metacharacters such as ), OR, AND, and #, leading to extraction of sensitive data stored in the database. This attack compromises the confidentiality of all data accessed through the plugin, potentially exposing user information or quiz results.

Affected Systems

WordPress sites that have the Quiz and Survey Master plugin by expresstech installed with a version number of 10.3.5 or earlier are vulnerable. No information is provided about whether later releases contain a fix, but the documented affected range stops at 10.3.5.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. EPSS information is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to be authenticated as a Contributor or higher; no additional network or configuration prerequisites are described. Consequently, the threat remains medium, escalating if the site contains highly sensitive information.

Generated by OpenCVE AI on March 24, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Quiz and Survey Master to the newest available version of the plugin.
  • If an upgrade is not immediately possible, restrict or temporarily remove Contributor capabilities from affected accounts.
  • Monitor database logs for unexpected queries or failed login attempts.
  • Implement a web application firewall rule that blocks suspicious SQL injection patterns.
  • Verify that after updating, the merged_question parameter no longer accepts malicious input.

Generated by OpenCVE AI on March 24, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress
Wordpress wordpress
Vendors & Products Expresstech
Expresstech quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress
Wordpress wordpress

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Quiz and Survey Master (QSM) <= 10.3.5 - Authenticated (Contributor+) SQL Injection via 'merged_question' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Expresstech Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:36.412Z

Reserved: 2026-02-12T16:12:41.339Z

Link: CVE-2026-2412

cve-icon Vulnrichment

Updated: 2026-03-24T18:44:41.538Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T23:17:11.287

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-2412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:14Z

Weaknesses