Skip to main content

Quiz Master Next EUVDEUVD-2026-44885

| CVE-2026-13767 MEDIUM
SQL Injection (CWE-89)
2026-07-16 Wordfence GHSA-4895-w473-xhfc
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.7 MEDIUM

UI:R assigned because SQL payload execution requires a second user to view the Questions tab; all other metrics align with the official vector.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:01 vuln.today
CVE Published
Jul 16, 2026 - 07:51 cve.org
MEDIUM 6.5

DescriptionCVE.org

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsm_ajax_save_pages() AJAX handler (sanitize_text_field only) and lack of sufficient preparation on the existing SQL query built in qsm_options_questions_tab_content() at line 143, where the stored page IDs are interpolated into an IN() clause via implode() with no $wpdb->prepare() and no integer casting. This makes it possible for authenticated attackers, with Author-level access and above (who can own a quiz they are entitled to edit), to plant a SQL payload that is executed second-order whenever any user (including an administrator) views the quiz's Questions tab, allowing them to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as Author-level WordPress user
Delivery
Intercept AJAX save and inject SQL into 'pages' parameter
Exploit
Payload stored in database via qsm_ajax_save_pages()
Install
Administrator navigates to quiz Questions tab
C2
qsm_options_questions_tab_content() interpolates stored payload into IN() clause
Execute
Database executes appended UNION/subquery
Impact
WordPress user credentials and sensitive records exfiltrated

Vulnerability AssessmentAI

Exploitation The attacker must hold an authenticated Author-level (or higher) WordPress account on the target site - PR:N unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) correctly identifies network reachability and high confidentiality impact but the official UI:N designation warrants scrutiny: execution of the stored payload is gated on a second user viewing the Questions tab, which is a form of deferred user interaction even if uncoerced. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with an Author account on a WordPress site running QSM 11.2.0 navigates to the quiz editor for a quiz they own and intercepts the AJAX save request, injecting a crafted SQL fragment into the 'pages' parameter - for example, '1 UNION SELECT user_login,user_pass,3,4,5 FROM wp_users-- '. This payload is stored in the database through the insufficiently sanitized save handler. …
Remediation An upstream fix has been committed to the WordPress plugin SVN repository as changeset 3608310, visible at https://plugins.trac.wordpress.org/changeset?reponame=&old=3608310%40quiz-master-next&new=3608310%40quiz-master-next; however, the specific patched release version number is not confirmed in the provided data, so administrators should verify the current version available on WordPress.org and update immediately once a patched release is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy