CVE-2026-6448: SQL Injection in Quiz and Survey Master WordPress Plugin
The Quiz and Survey Master plugin for WordPress contains a SQL injection flaw in how it processes the 'order' parameter. An admin-level attacker can craft malicious requests to extract sensitive data from the WordPress database. The vulnerability is time-based and blind, meaning attackers infer results through response delays rather than direct output. If the plugin's secret key becomes public, lower-privileged users could exploit it without admin credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. If the secret key is exposed, this can be exploited by lower-privileged users.
12 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-6448 is a time-based blind SQL injection vulnerability (CWE-89) affecting the Quiz and Survey Master plugin versions up to 11.1.2. The 'order' parameter lacks proper escaping and parameterization, allowing authenticated attackers to inject arbitrary SQL clauses into database queries. The CVSS 3.1 score of 4.9 (Medium) reflects high confidentiality impact but no integrity or availability consequences under the base case of admin-only exploitation. The vulnerability's practical exploitation depends on database query timing characteristics and the attacker's ability to infer query results through response behavior.
Business impact
Exploitation could expose sensitive quiz, survey, and user response data stored in the WordPress database. For sites using QSM for internal assessments, employee surveys, or customer feedback, data leakage poses privacy and compliance risks. Admin-level compromise is the primary vector, suggesting the threat is contained within trusted WordPress administrator accounts—though secret key exposure widens the attack surface to lower-privileged users. Financial or reputational damage would depend on the sensitivity of data collected through the plugin and applicable data protection regulations.
Affected systems
Quiz and Survey Master – Easy Quiz and Survey Maker plugin for WordPress in versions up to and including 11.1.2 is affected. The vulnerability requires an authenticated WordPress user with admin-level access or higher. If the plugin's secret key is compromised, the requirement for admin credentials is bypassed, extending risk to lower-privileged authenticated users. Sites running version 11.1.2 or earlier should be considered in scope.
Exploitability
Exploitation requires initial authentication as a WordPress admin or, if the secret key is exposed, as any authenticated user. The attack is not trivial—time-based blind SQL injection demands careful crafting of requests and inference of results through database response delays. No public exploit code or active exploitation in the wild is currently reported (the vulnerability is not on CISA's KEV catalog). However, the relatively low barrier to auth (admin account) and the deterministic nature of SQL injection make this exploitable by threat actors who gain admin access through credential compromise, supply-chain incidents, or other vectors.
Remediation
Update the Quiz and Survey Master plugin to a version that includes proper input escaping and parameterized queries for the 'order' parameter. Verify against the vendor's official advisory or changelog for the first patched version following 11.1.2. Additionally, audit WordPress admin account access, enforce strong admin credentials, protect the plugin's secret key from exposure, and consider limiting admin roles to necessary users only. Regular security audits of custom SQL queries in WordPress plugins are recommended.
Patch guidance
Check the Quiz and Survey Master plugin repository or vendor advisory for the first version released after 11.1.2 that addresses this issue. Apply updates through the WordPress admin dashboard or manually verify the patched version before deploying to production. After patching, confirm the 'order' parameter is properly escaped and uses prepared statements. Test quiz and survey functionality to ensure the patch does not break existing workflows.
Detection guidance
Monitor WordPress error logs and database query logs for unusual SQL patterns in the 'order' parameter, particularly those containing UNION, SELECT, WAITFOR, or SLEEP commands. Check admin audit logs for unexpected database queries or failed query attempts. Use Web Application Firewalls (WAF) configured to detect SQL injection payloads. Query WordPress activity logs for suspicious admin account usage patterns. If secret key exposure is suspected, review authentication logs for lower-privileged accounts performing database operations that should be restricted to admins.
Why prioritize this
Although marked MEDIUM severity with a CVSS score of 4.9, this vulnerability warrants prompt attention because: (1) SQL injection is a foundational attack class with well-understood exploitation techniques, (2) the secret key exposure condition widens the attack surface beyond high-privileged accounts, and (3) WordPress admin compromise is a common objective in multi-stage attacks. Organizations running QSM should prioritize patching within their standard update cycle, especially if the site handles sensitive survey or assessment data.
Risk score, explained
The CVSS 3.1 score of 4.9 reflects a Medium severity rating: Network-accessible vulnerability with low attack complexity and high privilege requirement (admin), but high confidentiality impact (C:H) and no integrity or availability impact (I:N, A:N). The score assumes the attacker already holds admin credentials. The practical risk is elevated by the secret key exposure condition, which could shift the privilege requirement to Low or None if the key is not properly protected. Organizations should assess their own secret key protection posture when determining actual risk.
Frequently asked questions
Can a low-privilege WordPress user exploit this vulnerability?
Not without additional compromise. The base attack requires admin-level access. However, if the plugin's secret key is exposed through misconfiguration, version control leakage, or other means, lower-privileged authenticated users could exploit it. Protect your secret key as you would a database password.
What data can an attacker extract via this SQL injection?
Any data in the WordPress database is theoretically accessible, including user credentials, post content, quiz responses, survey answers, and plugin settings. The time-based blind technique makes extraction slow but reliable. The scope depends on the database user's permissions and what tables are present.
Is this vulnerability actively exploited in the wild?
Not currently—it is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, SQL injection vulnerabilities are frequently targeted once disclosed. Assume exploitation will occur after public details emerge.
Do I need to regenerate my WordPress users or security keys after a patch?
If you suspect the plugin's secret key or admin credentials were compromised, regenerate authentication tokens and audit admin accounts immediately. Patching alone does not remove any traces of prior exploitation. If no unauthorized activity is detected, patching is sufficient for future protection.
This analysis is provided for informational purposes and reflects information available as of the publication date. Security vulnerabilities are dynamic; verify all technical details, patch availability, and affected versions against the vendor's official advisories before taking action. SEC.co makes no warranty regarding the completeness or accuracy of this assessment. Always test patches in a non-production environment before deployment. Exploit details and active exploitation status may change; monitor official sources for updates. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-0075MEDIUMAndroid SQL Injection in Contacts Database – Privilege Escalation Risk
- CVE-2026-10039MEDIUMFrontend Admin WordPress Plugin SQL Injection Vulnerability
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController