CVE-2026-6448
Time-Based Blind SQL Injection in Quiz and Survey Master WordPress Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quiz_and_survey_master | qsm | to 11.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Quiz and Survey Master (QSM) plugin for WordPress has a time-based blind SQL Injection vulnerability in the 'order' parameter in all versions up to and including 11.1.2. This occurs because the plugin does not properly escape user-supplied input and does not sufficiently prepare the SQL query. As a result, authenticated users with admin-level access or higher can inject additional SQL queries into existing ones, potentially extracting sensitive data from the database. If the secret key is exposed, even users with lower privileges can exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the Quiz and Survey Master plugin up to and including 11.1.2. Immediate mitigation steps include updating the plugin to a version later than 11.1.2 where the issue is fixed.
Additionally, restrict admin-level access to trusted users only, as exploitation requires authenticated users with admin privileges or higher.
If the secret key is exposed, ensure it is changed promptly to prevent exploitation by lower-privileged users.
How can this vulnerability impact me? :
This vulnerability can allow attackers with admin-level access to extract sensitive information from the database by injecting malicious SQL queries. If the secret key is compromised, even lower-privileged users could exploit this flaw. This could lead to unauthorized data disclosure, potentially exposing confidential or personal information stored within the WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with admin-level access to perform time-based blind SQL Injection, potentially extracting sensitive information from the database.
Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information.
However, the provided information does not explicitly describe the direct impact on compliance with these standards.