SQL Injection Vulnerability in Quiz Master Next Plugin for WordPress
CVE-2026-13767

6.5MEDIUM

What is CVE-2026-13767?

The Quiz Master Next plugin for WordPress suffers from an SQL Injection vulnerability that arises from inadequate escaping of user input in the 'pages' parameter. This issue is present in versions up to and including 11.2.0. The vulnerability can be exploited by authenticated users with Author-level access and higher, allowing attackers to inject malicious SQL payloads. When other users, including administrators, access the quiz's Questions tab, the injected payload can execute, enabling attackers to manipulate existing SQL queries and potentially extract sensitive information from the database. Mitigating this vulnerability is crucial to safeguarding your WordPress site from unauthorized data access.

Affected Version(s)

Quiz and Survey Master (QSM) – Quiz Maker & Survey Maker 0 <= 11.2.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.