Quiz And Survey Master
Monthly
Unauthenticated reflected/stored cross-site scripting in the Quiz And Survey Master WordPress plugin (versions through 11.1.2) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. Exploitation is reflected in the CVSS 7.1 (High) score with a scope change, meaning injected script can impact resources beyond the vulnerable component. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Stored or reflected cross-site scripting in the Quiz And Survey Master WordPress plugin (versions up to and including 11.0.0) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after a single user interaction. Patchstack reports the issue under EUVD-2026-36990 with a CVSS 3.1 base score of 7.1 reflecting scope change and partial impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. [CVSS 6.5 MEDIUM]
The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]
The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated reflected/stored cross-site scripting in the Quiz And Survey Master WordPress plugin (versions through 11.1.2) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. Exploitation is reflected in the CVSS 7.1 (High) score with a scope change, meaning injected script can impact resources beyond the vulnerable component. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Stored or reflected cross-site scripting in the Quiz And Survey Master WordPress plugin (versions up to and including 11.0.0) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after a single user interaction. Patchstack reports the issue under EUVD-2026-36990 with a CVSS 3.1 base score of 7.1 reflecting scope change and partial impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. [CVSS 6.5 MEDIUM]
The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]
The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.