Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
UI:R assigned because SQL payload execution requires a second user to view the Questions tab; all other metrics align with the official vector.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsm_ajax_save_pages() AJAX handler (sanitize_text_field only) and lack of sufficient preparation on the existing SQL query built in qsm_options_questions_tab_content() at line 143, where the stored page IDs are interpolated into an IN() clause via implode() with no $wpdb->prepare() and no integer casting. This makes it possible for authenticated attackers, with Author-level access and above (who can own a quiz they are entitled to edit), to plant a SQL payload that is executed second-order whenever any user (including an administrator) views the quiz's Questions tab, allowing them to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold an authenticated Author-level (or higher) WordPress account on the target site - PR:N unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) correctly identifies network reachability and high confidentiality impact but the official UI:N designation warrants scrutiny: execution of the stored payload is gated on a second user viewing the Questions tab, which is a form of deferred user interaction even if uncoerced. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with an Author account on a WordPress site running QSM 11.2.0 navigates to the quiz editor for a quiz they own and intercepts the AJAX save request, injecting a crafted SQL fragment into the 'pages' parameter - for example, '1 UNION SELECT user_login,user_pass,3,4,5 FROM wp_users-- '. This payload is stored in the database through the insufficiently sanitized save handler. … |
| Remediation | An upstream fix has been committed to the WordPress plugin SVN repository as changeset 3608310, visible at https://plugins.trac.wordpress.org/changeset?reponame=&old=3608310%40quiz-master-next&new=3608310%40quiz-master-next; however, the specific patched release version number is not confirmed in the provided data, so administrators should verify the current version available on WordPress.org and update immediately once a patched release is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44885
GHSA-4895-w473-xhfc