CVE-2026-13767 in Quiz and Survey Master Plugininfo

Summary

by MITRE • 07/16/2026

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsm_ajax_save_pages() AJAX handler (sanitize_text_field only) and lack of sufficient preparation on the existing SQL query built in qsm_options_questions_tab_content() at line 143, where the stored page IDs are interpolated into an IN() clause via implode() with no $wpdb->prepare() and no integer casting. This makes it possible for authenticated attackers, with Author-level access and above (who can own a quiz they are entitled to edit), to plant a SQL payload that is executed second-order whenever any user (including an administrator) views the quiz's Questions tab, allowing them to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in the Quiz Master Next plugin for WordPress represents a critical second-order SQL injection flaw that affects versions up to and including 11.2.0. This security weakness stems from inadequate input sanitization within the qsm_ajax_save_pages() AJAX handler which relies solely on sanitize_text_field() for processing the 'pages' parameter. The insufficient escaping mechanism fails to properly handle malicious payloads that could be stored within quiz page data, creating a persistent vector for exploitation. The vulnerability manifests when stored page IDs are interpolated into an SQL IN() clause through implode() function without proper database preparation or integer casting, allowing attackers to inject malicious SQL commands that execute whenever quiz pages are displayed.

The technical flaw operates at multiple levels within the plugin's architecture, specifically targeting the qsm_options_questions_tab_content() function at line 143 where database queries are constructed. The absence of $wpdb->prepare() usage and lack of proper integer casting creates an environment where attacker-controlled data flows directly into SQL execution contexts. This design flaw aligns with CWE-89 which categorizes improper neutralization of special elements used in SQL commands as a primary cause of SQL injection vulnerabilities. The exploitation requires minimal privileges, specifically Author-level access or higher, making it particularly dangerous as it allows users who can edit quizzes to compromise the entire system through carefully crafted payloads.

The operational impact of this vulnerability extends far beyond simple data theft, as authenticated attackers can execute arbitrary SQL commands with the privileges of the web application. When administrators or other users view quiz pages containing maliciously injected code, the secondary execution occurs within the context of the database connection, potentially enabling full database compromise. This threat model maps directly to ATT&CK technique T1078 which covers legitimate credentials use and privilege escalation. The vulnerability's persistence means that even after initial exploitation, the malicious payload remains active until manually removed from the stored quiz data, creating a long-term attack vector that can be leveraged for information disclosure, data manipulation, or further system compromise.

Mitigation strategies should prioritize immediate plugin updates to versions that properly implement database query preparation and input validation. Administrators must ensure that all user-supplied data undergoes proper sanitization using appropriate WordPress functions such as intval() for numeric values or $wpdb->prepare() for SQL queries containing dynamic elements. The implementation of least privilege principles becomes critical, as restricting user permissions reduces the potential attack surface. Additionally, regular database monitoring should be implemented to detect unusual query patterns that might indicate exploitation attempts. Security headers and input validation layers can provide additional defense in depth, while comprehensive logging of AJAX handler activities enables forensic analysis following suspected incidents. The vulnerability highlights the importance of proper database abstraction practices and demonstrates how seemingly minor implementation oversights can create significant security risks in content management systems.

Responsible

Wordfence

Reservation

06/29/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!