CVE-2025-67987 in Quiz and Survey Master Plugin
Summary
by MITRE • 02/20/2026
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.3.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability identified as CVE-2025-67987 represents a critical SQL injection flaw within the ExpressTech Systems Quiz And Survey Master plugin, specifically affecting versions ranging from the initial release through version 10.3.1. This weakness resides in the plugin's improper handling of special elements within SQL commands, creating a pathway for malicious actors to execute unauthorized database operations. The vulnerability falls under the CWE-89 category, which specifically addresses SQL injection vulnerabilities where user-supplied data is inadequately sanitized before being incorporated into database queries.
The technical exploitation of this vulnerability occurs when the plugin fails to properly neutralize input parameters that are subsequently used in SQL command construction. Attackers can manipulate the quiz and survey master functionality by injecting malicious SQL code through input fields that are not properly validated or escaped. This allows unauthorized individuals to bypass authentication mechanisms, extract sensitive data from the underlying database, modify or delete records, and potentially gain elevated privileges within the affected system. The flaw specifically impacts the plugin's handling of user inputs during quiz and survey processing operations, where database queries are constructed without adequate parameterization or input sanitization.
The operational impact of this vulnerability extends beyond simple data compromise, as it can lead to complete system takeover and data breach incidents. Organizations using affected versions of the Quiz And Survey Master plugin face significant risks including unauthorized access to user credentials, personal information, quiz results, and survey responses stored in the database. The vulnerability's presence in the quiz and survey master functionality means that any user interaction with these features could potentially serve as an attack vector. Additionally, the attack surface is amplified when the plugin is used in conjunction with other WordPress components, as successful exploitation could enable attackers to escalate privileges and move laterally within the affected environment.
Mitigation strategies for CVE-2025-67987 should prioritize immediate plugin updates to versions that address the SQL injection vulnerability, following the vendor's security advisories and release notes. System administrators should implement input validation and parameterized queries throughout the application to prevent similar issues in future development cycles. The use of web application firewalls and database activity monitoring can provide additional layers of protection against exploitation attempts. Organizations should also conduct comprehensive security assessments of their WordPress installations, reviewing all plugins and themes for similar vulnerabilities and ensuring that proper security practices including input sanitization, output encoding, and secure coding standards are consistently applied across all application components. This vulnerability aligns with ATT&CK technique T1190, which covers the exploitation of vulnerabilities in applications to gain unauthorized access to systems and data.