Quiz And Survey Master Qsm Quiz Maker Survey Maker
Monthly
Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.
Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.