Description
The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_text_field() and htmlspecialchars(), which only strip HTML tags but do not encode or remove shortcode brackets [ and ]. When quiz results are displayed, the plugin calls do_shortcode() on the entire results page output (including user answers), causing any injected shortcodes to be executed. This makes it possible for unauthenticated attackers to inject arbitrary WordPress shortcodes such as [qsm_result id=X] to access other users' quiz submissions without authorization, as the qsm_result shortcode lacks any authorization checks.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated disclosure of private quiz results via arbitrary shortcode execution
Action: Immediate Patch
AI Analysis

Impact

The Quiz And Survey Master plugin for WordPress allows users to submit quiz answers that are not properly sanitized before being passed to the short‑code processor. Because the plugin calls do_shortcode() on the entire results page, any shortcodes embedded in user answers are executed. This flaw can be exploited by an unauthenticated attacker to inject shortcodes such as [qsm_result id=X], which then reveals the results of other users’ quizzes. The vulnerability is a form of authorization bypass that results in the disclosure of confidential user data.

Affected Systems

Any WordPress site running Quiz and Survey Master version 11.1.0 or earlier, including all releases of the plugin up to that version. The affected component is the core plugin code that processes quiz answers and displays results. Users of this plugin are those who allow quiz participation without requiring authentication.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity. No EPSS information is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting low to moderate exploitation probability until a public exploit becomes available. The exploit requires no special privileges and can be performed from any external web request containing a crafted quiz answer. The short‑code execution bypass makes the attack straightforward once the attacker identifies a target quiz. Because the flaw does not rely on any complex preconditions, it is likely to be discovered and used by attackers who wish to obtain users’ quiz submissions.

Generated by OpenCVE AI on April 17, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Quiz and Survey Master plugin (≥ 11.1.1) immediately.
  • If an update cannot be deployed right away, modify the results rendering code to remove or escape any short‑code delimiters before calling do_shortcode(), or disable short‑code execution entirely on the results page.
  • Disable or secure the qsm_result shortcode by adding an authorization check that verifies the current user has permission to view the specified quiz result.

Generated by OpenCVE AI on April 17, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress
Wordpress wordpress
Vendors & Products Expresstech
Expresstech quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_text_field() and htmlspecialchars(), which only strip HTML tags but do not encode or remove shortcode brackets [ and ]. When quiz results are displayed, the plugin calls do_shortcode() on the entire results page output (including user answers), causing any injected shortcodes to be executed. This makes it possible for unauthenticated attackers to inject arbitrary WordPress shortcodes such as [qsm_result id=X] to access other users' quiz submissions without authorization, as the qsm_result shortcode lacks any authorization checks.
Title Quiz and Survey Master (QSM) <= 11.1.0 - Unauthenticated Shortcode Injection Leading to Arbitrary Quiz Result Disclosure via Quiz Answer Text Input Fields
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Expresstech Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T11:14:55.597Z

Reserved: 2026-04-08T14:08:20.955Z

Link: CVE-2026-5797

cve-icon Vulnrichment

Updated: 2026-04-17T11:14:30.853Z

cve-icon NVD

Status : Received

Published: 2026-04-17T06:16:30.153

Modified: 2026-04-17T06:16:30.153

Link: CVE-2026-5797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:12Z

Weaknesses