Thanh Hao

**Name of the Vulnerable Software and Affected Versions** Quiz and Survey Master (QSM) plugin for WordPress versions through 10.3.5 **Description** The Quiz and Survey Master (QSM) plugin for WordPress is susceptible to SQL Injection through the `merged question` parameter. Insufficient input sanitization allows malicious code to be injected into SQL queries. The `sanitize text field()` function does not prevent SQL metacharacters such as ), OR, AND, and # from being included in the value of the `merged question` parameter. This value is then directly concatenated into a SQL IN() clause without proper preparation, enabling authenticated attackers with Contributor-level access or higher to append additional SQL queries to extract sensitive information from the database. **Recommendations** Versions prior to and including 10.3.5 should be updated to a newer, fixed version when available. As a temporary workaround, restrict access to the `merged question` parameter to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin versions prior to 1.6.9.28 **Description** The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is susceptible to a blind SQL Injection issue. This occurs because the `db where conditions` method within the `TD DB Model` class does not adequately prevent the `append where sql` parameter from being included in JSON request bodies, while only verifying its presence in the `$ REQUEST` superglobal. This allows unauthenticated attackers to append arbitrary SQL commands to queries and potentially extract sensitive information from the database. Exploitation requires obtaining a valid `public token` that may be exposed during the booking process. The vulnerable parameter is `append where sql` and is present in JSON payloads. **Recommendations** Update to version 1.6.9.28 or later.