CVE-2021-24221

Name of the Vulnerable Software and Affected Versions: The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress versions prior to 7.1.12

Description: The issue arises from the lack of sanitization of the result id GET parameter on pages with the [qsm result] shortcode without an id attribute. This leads to an SQL injection, allowing unauthorized access to the DBMS. The vulnerability can be exploited by authors or even unauthenticated users if the shortcode is embedded on a public page or post.

Recommendations: For versions prior to 7.1.12, update to version 7.1.12 or later to resolve the issue. As a temporary workaround, consider disabling the use of the [qsm result] shortcode without an id attribute until a patch is available. Restrict access to pages or posts with the vulnerable shortcode to minimize the risk of exploitation.