SQL Injection Vulnerability in Quiz Maker Plugin for WordPress
CVE-2025-10042

5.9MEDIUM

Key Information:

Vendor: WordPress
Status: Quiz Maker
Vendor: CVE Published:; 17 September 2025

What is CVE-2025-10042?

The Quiz Maker plugin for WordPress is vulnerable to an SQL Injection attack due to improper input validation and escaping of user-supplied parameters. This vulnerability arises when the plugin processes IP headers, especially in configurations that support retrieving the IP from fields like 'X-Forwarded-For'. Unauthenticated attackers can exploit this weakness to inject additional SQL commands into existing queries, potentially allowing unauthorized access to sensitive information stored within the database. It's crucial for site administrators to be aware of this risk and take necessary steps to secure their installations, particularly if IP address restrictions are enabled.

Affected Version(s)

Quiz Maker * <= 6.7.0.56

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/quiz-maker/tag...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2025
Vulnerability Reserved
Sep 5, 2025

Credit

Rahul Sreenivasan