CVE-2021-24221

CVE-2021-24221: Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

Vendor Unknown
Product Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Weakness CWE-89 · SQLi
Published April 12, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.

Key dates

02Disclosure timeline

April 12, 2021 CVE published
August 3, 2024 Record updated