CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SQL Injection Vulnerability in Quiz and Survey Master Plugin Affects 40,000 WordPress Sites

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A SQL injection vulnerability in the Quiz and Survey Master (QSM) plugin for WordPress, affecting versions 10.3.1 and earlier, has been discovered. The flaw allowed authenticated users with Subscriber-level privileges or higher to interfere with database queries, potentially leading to unauthorized data access. The vulnerability was patched in version 10.3.2, released on December 4, 2025. The issue highlights the risks of improper input validation and the importance of using prepared statements in database queries.

Timeline

  1. 03.02.2026 18:15 1 articles · 9h ago

    SQL Injection Vulnerability Patched in Quiz and Survey Master Plugin

    A SQL injection vulnerability in the Quiz and Survey Master plugin for WordPress, affecting versions 10.3.1 and earlier, was discovered and reported by Doan Dinh Van. The flaw allowed authenticated users with Subscriber-level privileges or higher to interfere with database queries. The vulnerability was patched in version 10.3.2, released on December 4, 2025, following responsible disclosure.

    Show sources
    Open in new tab

Information Snippets

  • The vulnerability affected versions 10.3.1 and earlier of the Quiz and Survey Master plugin.

    First reported: 03.02.2026 18:15
    1 source, 1 article
    Show sources

  • Authenticated users with Subscriber-level privileges or higher could exploit the flaw.

    First reported: 03.02.2026 18:15
    1 source, 1 article
    Show sources

  • The vulnerability was located in a REST API function responsible for retrieving quiz question data.

    First reported: 03.02.2026 18:15
    1 source, 1 article
    Show sources

  • The flaw was patched in version 10.3.2, released on December 4, 2025.

    First reported: 03.02.2026 18:15
    1 source, 1 article
    Show sources

  • The vulnerability was discovered by Doan Dinh Van, a member of the Patchstack Alliance community.

    First reported: 03.02.2026 18:15
    1 source, 1 article
    Show sources