CVE-2026-5797

Name of the Vulnerable Software and Affected Versions Quiz And Survey Master versions prior to 11.1.1

Description Insufficient input sanitization allows for arbitrary shortcode execution. The issue occurs because user-submitted quiz answer text is processed by sanitize text field() and htmlspecialchars(), which remove HTML tags but fail to encode or remove shortcode brackets. When quiz results are displayed, the plugin uses the do shortcode() function on the output, executing any injected shortcodes. Unauthenticated attackers can use this to inject shortcodes such as '[qsm result id=X]' to access other users' quiz submissions without authorization, as the qsm result shortcode does not perform authorization checks.

Recommendations Update to a version later than 11.1.0.