What the vulnerability does
01Description
The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Explanation of Vulnerability in Simple Terms
02Summary
Quiz and Survey Master versions up to 10.3.5 contain a SQL injection vulnerability in a component requiring low-level authentication. An authenticated attacker can query the site's database directly to read sensitive data, including user information and quiz responses. The vulnerability does not allow data modification or denial of service. Update to a version newer than 10.3.5.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site's database, including user information and quiz responses.
Potential impact on your site
04Site Impact
User data and quiz responses stored in the database can be exposed to authenticated attackers.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level user account on the site (e.g., subscriber or quiz taker).
Key dates
06Disclosure timeline
March 23, 2026
CVE published
April 8, 2026
Record updated
