SQL Injection Vulnerability in Quiz and Survey Master Plugin for WordPress
CVE-2025-9318

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Vendor
CVE Published:
6 January 2026

What is CVE-2025-9318?

The Quiz and Survey Master (QSM) plugin for WordPress is susceptible to time-based SQL Injection through the ‘is_linking’ parameter in versions up to and including 10.3.1. This vulnerability arises from insufficient escaping of user-supplied data and poor preparation of existing SQL queries, enabling authenticated attackers with Subscriber-level access and above to inject additional SQL queries. Such exploits can lead to unauthorized access to sensitive database information, raising significant security concerns for WordPress users.

Affected Version(s)

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker * <= 10.3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/quiz-master-ne...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rahul Sreenivasan
JSON
.
CVE-2025-9318 : SQL Injection Vulnerability in Quiz and Survey Master Plugin for WordPress