CVE-2026-2412

Name of the Vulnerable Software and Affected Versions Quiz and Survey Master (QSM) plugin for WordPress versions through 10.3.5

Description The Quiz and Survey Master (QSM) plugin for WordPress is susceptible to SQL Injection through the merged question parameter. Insufficient input sanitization allows malicious code to be injected into SQL queries. The sanitize text field() function does not prevent SQL metacharacters such as ), OR, AND, and # from being included in the value of the merged question parameter. This value is then directly concatenated into a SQL IN() clause without proper preparation, enabling authenticated attackers with Contributor-level access or higher to append additional SQL queries to extract sensitive information from the database.

Recommendations Versions prior to and including 10.3.5 should be updated to a newer, fixed version when available. As a temporary workaround, restrict access to the merged question parameter to prevent exploitation.