Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)

Advisory/Mitigation
First reported
Last updated
Happening score
H score 10
1 unique sources, 1 articles

Summary

Hide ▲

Patchstack published mitigation guidance for CVE-2025-67987, directing administrators to update Quiz and Survey Master to version 10.3.2 to close a SQL injection flaw. The advisory applies to versions 10.3.1 and earlier, which were exposed on more than 40,000 WordPress sites. The issue could be abused by authenticated Subscriber-level users or higher to interfere with database queries and increase the risk of unauthorized data access. The fix hardens the vulnerable query path by converting the `is_linking` parameter to an integer with `intval`.

Related Happenings

Drupal Core database abstraction API SQL injection SQL injection flaw (CVE-2026-9082)

Vulnerability
First: 21.05.2026 06:44 Last: 21.05.2026 06:44 Sources 1

About this happening: **CVE-2026-9082** in **Drupal Core** is a **SQL injection** flaw in the **database abstraction API** that affects **PostgreSQL-backed sites** and can lead to **information disclos...

Open Happening

LiteLLM pre-auth SQL injection (CVE-2026-42208)

Vulnerability
First: 29.04.2026 00:07 Last: 29.04.2026 00:07 Sources 1

About this happening: **LiteLLM**'s **CVE-2026-42208** pre-auth SQL injection is being actively exploited, putting proxy databases and stored secrets at risk. The flaw can be triggered without authenti...

Latest development: 29.04.2026 08:34

BerriAI released `1.83.7-stable` on April 19, 2026 to address `CVE-2026-42208`, a critical `SQL injection` in LiteLLM proxy API key checks, and recommended setting `disable_error_logs: true` as a workaround when immediate upgrading is not possible.

Open Happening

Ally WordPress plugin SQL injection SQL injection flaw (CVE-2026-2313)

Vulnerability
First: 11.03.2026 21:38 Last: 11.03.2026 21:38 Sources 1

About this happening: **Elementor's Ally** WordPress plugin is exposed to **CVE-2026-2313**, an **unauthenticated SQL injection** flaw that can steal sensitive data from sites running versions **up to...

Open Happening

SQL Server elevation-of-privilege flaw (CVE-2026-21262)

Vulnerability
First: 10.03.2026 19:49 Last: 10.03.2026 19:49 Sources 1

About this happening: **Microsoft** patched **CVE-2026-21262** in **SQL Server**, closing a publicly disclosed **elevation-of-privilege** flaw that can grant **SQLAdmin** privileges over the network. T...

Open Happening

User Registration & Membership unauthenticated admin account creation security flaw (CVE-2026-1492)

Vulnerability
First: 05.03.2026 20:44 Last: 05.03.2026 20:44 Sources 1

About this happening: Active exploitation of **CVE-2026-1492** in the **User Registration & Membership** plugin can let attackers create **administrator accounts without authentication**, putting **60,...

Open Happening

Timeline

  1. 03.02.2026 18:15 2 articles · 3mo ago

    Quiz and Survey Master 10.3.2 patch released

    Mitigation Patch Update

    Quiz and Survey Master version 10.3.2 was issued as the patched release on 4 December 2025, closing CVE-2025-67987 for installations running version 10.3.1 and earlier. The fix targeted the vulnerable REST API query path used by the plugin.

    Show sources
    Open in new tab
  2. 21.11.2025 02:00 1 articles · 6mo ago

    Quiz and Survey Master SQL injection report received

    Initial Disclosure

    Patchstack received a report from Doan Dinh Van, a member of the Patchstack Alliance community, about a SQL injection flaw in the Quiz and Survey Master (QSM) WordPress plugin and notified the plugin vendor on 21 November 2025. The issue affected more than 40,000 WordPress sites and could be triggered by authenticated Subscriber-level users or higher.

    Show sources
    Open in new tab