CVE-2026-5797
Arbitrary Shortcode Execution in Quiz And Survey Master Plugin
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quiz_and_survey_master | quiz_and_survey_master | to 11.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Quiz And Survey Master plugin for WordPress has a vulnerability called Arbitrary Shortcode Execution in versions up to and including 11.1.0. This happens because user-submitted quiz answers are not properly sanitized to remove shortcode brackets. Although HTML tags are stripped, shortcode brackets [ and ] remain. When quiz results are displayed, the plugin executes all shortcodes in the output, including those injected by users. This allows unauthenticated attackers to inject and execute arbitrary WordPress shortcodes.
Specifically, attackers can use this to run shortcodes like [qsm_result id=X], which can access other users' quiz submissions without authorization because the shortcode lacks proper authorization checks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Quiz And Survey Master plugin to a version later than 11.1.0 where the issue is fixed.
Additionally, consider restricting or sanitizing user-submitted quiz answers more strictly to prevent shortcode injection.
As a temporary measure, you may disable shortcode execution on quiz result pages if possible.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to access other users' quiz submissions without permission by injecting and executing arbitrary shortcodes. This means sensitive or private quiz data could be exposed to unauthorized parties.
Since the vulnerability does not affect confidentiality of the system itself but allows unauthorized information disclosure, it can lead to a loss of data integrity and privacy for users who submit quiz answers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to inject arbitrary WordPress shortcodes to access other users' quiz submissions without authorization. This unauthorized access to user-submitted data could potentially lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on personal data access and confidentiality.
Since the vulnerability enables unauthorized disclosure of user data, organizations using the affected plugin may face compliance risks related to improper handling and protection of personal information.