EUVD-2026-14608
GHSA-p9xr-7rv6-w58f
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Analysis
The Quiz and Survey Master (QSM) WordPress plugin versions up to 10.3.5 contains a SQL injection vulnerability in the 'merged_question' parameter that allows authenticated attackers with Contributor-level access or higher to extract sensitive database information. The vulnerability exists because the plugin uses sanitize_text_field() which does not prevent SQL metacharacters from being injected into an SQL IN() clause, and the resulting query is not properly parameterized using $wpdb->prepare() or integer casting. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today