More than 40,000 WordPress sites using the Quiz and Survey Master plugin have been affected by a SQL injection vulnerability that allowed authenticated users to interfere with database queries.
The flaw existed in versions 10.3.1 and earlier and could be exploited by any logged-in user with Subscriber-level privileges or higher, increasing the risk of unauthorised data access.
Quiz and Survey Master, also known as QSM, is widely used to create quizzes, surveys and forms. Its feature set includes multimedia support and a drag-and-drop quiz builder, which has contributed to its large install base.
The vulnerability did not require administrative access, meaning a broad range of user accounts could potentially be abused to trigger the issue.
How The Vulnerability Exposed Site Databases
The vulnerability was located in a REST API function responsible for retrieving quiz question data. A request parameter named is_linking was assumed to be a numeric identifier and was inserted into a database query without proper validation. No sanitisation was applied before the value was combined with other question IDs and executed as part of an SQL statement.
This approach allowed a malicious user to supply specially crafted input containing additional SQL commands. Since the query was not built using a prepared statement, the database would process the injected content as part of the query itself, opening the door to data extraction or other unwanted actions.
Read more on WordPress plugin security: Critical WordPress Plugin Bugs Exploited En Masse
The issue has been assigned CVE-2025-67987. Although there is no indication that the vulnerability was actively exploited, its presence highlights the risks of trusting request data, even when it is not intended to be directly controlled by users.
Patch Released Following Responsible Disclosure
In an advisory published last week, Patchstack said the vulnerability was fixed in Quiz and Survey Master version 10.3.2.
The update mitigates the issue by forcing the is_linking parameter to be converted into an integer using intval, ensuring that only numeric values are processed by the database query.
The flaw was discovered and reported by Doan Dinh Van, a member of the Patchstack Alliance community.
Patchstack received the report on 21 November 2025 and notified the plugin vendor. The patched release was issued on December 4, 2025, with the advisory made public in late January 2026.
The incident reinforces the importance of input validation and the use of prepared statements when handling database queries in WordPress plugins.
