SQL Injection Vulnerability Reported in Quiz and Survey Master WordPress Plugin
Take action: If you are using the Quiz and Survey Master plugin, plan a quick update to version 10.3.2. Even low-level user accounts can exploit this flaw, so do not assume your site is safe just because you trust your registered users.
Learn More
An SQL injection vulnerability is reported in the Wordpress Quiz and Survey Master (QSM) plugin.
The vulnerability is tracked as CVE-2025-67987 (CVSS score 8.5) - A SQL injection vulnerability in the qsm_rest_get_question REST API function. The plugin fails to validate or sanitize the is_linking request parameter before inserting it into a database query. Attackers could potentially steal:
- User credentials and hashed passwords
- Quiz and survey responses
- Site configuration details and API keys
- Personal identifiable information (PII) of site visitors
An attacker with Subscriber-level privileges can send a crafted request containing SQL commands, which the database then executes because the query does not use prepared statements. This allows the attacker to bypass intended logic and extract sensitive information from the WordPress database.
No active exploitation has been reported but the large install base of this popular quiz-building tool makes it a big target for attackers.
The vulnerability affects all versions of the Quiz and Survey Master plugin up to and including version 10.3.1.
Users must update to Quiz and Survey Master version 10.3.2 or later ASAP.
Administrators should check their WordPress plugin list specifically for "Quiz and Survey Master" or "QSM" to determine if they are running an outdated version.
Developers are also encouraged to adopt the wpdb::prepare method for all database interactions to ensure data is handled safely and separated from the query logic.
