SQL Injection Flaw Affects 40,000 WordPress Sites
SQL Injection Flaw Affects 40,000 WordPress Sites
https://www.infosecurity-magazine.com/news/wordpress-sql-injection-flaw-40000/
Publish Date: 2026-02-03 11:15:00
Source Domain: www.infosecurity-magazine.com
More than 40,000 WordPress sites using the Quiz and Survey Master plugin have been affected by a SQL injection vulnerability that allowed authenticated users to interfere with database queries.
The flaw existed in versions 10.3.1 and earlier and could be exploited by any logged-in user with Subscriber-level privileges or higher, increasing the risk of unauthorised data access.
Quiz and Survey Master, also known as QSM, is widely used to create quizzes, surveys and forms. Its feature set includes multimedia support and a drag-and-drop quiz builder, which has contributed to its large install base.
The vulnerability did not require administrative access, meaning a broad range of user accounts could potentially be abused to trigger the issue.
How The Vulnerability Exposed Site Databases
The vulnerability was located in a REST API function responsible for retrieving quiz question data. A request parameter named is_linking was assumed to be a numeric identifier and was inserted into a database query without proper validation. No sanitisation was applied before the value was combined with other question IDs and executed as part of an SQL statement.
This approach allowed a malicious user to supply specially crafted input containing additional SQL commands. Since the query was not built using a prepared statement, the database would process the injected content as part of the query itself, opening the door to data extraction or other unwanted actions.
Read more on WordPress plugin security: Critical WordPress Plugin Bugs Exploited En Masse
The issue has been assigned CVE-2025-67987. Although there is no indication that the vulnerability was actively exploited, its presence highlights the risks of trusting request data, even when it is not intended to be directly controlled by users.
Patch Released Following Responsible Disclosure
In an advisory published last week, Patchstack said the vulnerability was fixed in Quiz and Survey Master version 10.3.2.
The update…
