SQL Injection Vulnerability in The Quiz And Survey Master Plugin for WordPress
CVE-2024-3592

9.9CRITICAL

Key Information:

Vendor: WordPress
Status: Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Vendor: CVE Published:; 7 June 2024

What is CVE-2024-3592?

The Quiz And Survey Master plugin for WordPress is susceptible to an SQL Injection vulnerability through the 'question_id' parameter. This issue stems from inadequate escaping of user inputs and poor SQL query preparation. As a result, authenticated users with contributor-level permissions can exploit this flaw to inject malicious SQL queries into existing ones, leading to unauthorized database access and the potential extraction of sensitive data.

Affected Version(s)

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker 0 <= 9.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3097878/quiz...

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2024
Vulnerability Reserved
Apr 10, 2024

Credit

Lucio Sá

CVE-2024-3592 Data

JSON