CVE-2024-5606

Name of the Vulnerable Software and Affected Versions The Quiz and Survey Master (QSM) WordPress plugin versions prior to 9.0.2

Description The issue concerns a SQL injection due to the lack of validation and escaping of the question id parameter in the "qsm bulk delete question from database" AJAX action. This can be exploited by users with a role of Contributors or above.

Recommendations For versions prior to 9.0.2, update to version 9.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "qsm bulk delete question from database" AJAX action to minimize the risk of exploitation.