CVE-2025-10042

Name of the Vulnerable Software and Affected Versions Quiz Maker plugin for WordPress versions up to and including 6.7.0.56

Description The Quiz Maker plugin for WordPress is susceptible to SQL Injection via manipulated IP headers. This occurs due to inadequate escaping of user-supplied parameters and insufficient preparation of existing SQL queries. Unauthenticated attackers can inject additional SQL queries into existing queries, potentially extracting sensitive information from the database. This is exploitable in configurations where the server retrieves the IP address from a user-supplied field, such as the X-Forwarded-For header, and IP-based user restrictions are enabled. The vulnerable parameter is the value provided in the X-Forwarded-For header.

Recommendations Versions prior to 6.7.0.57 should be updated. Disable IP-based user restrictions if the server is configured to retrieve the IP address from a user-supplied field like X-Forwarded-For.