SQL Injection Vulnerability in Quiz and Survey Master Plugin for WordPress
CVE-2026-2412

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-2412?

The Quiz and Survey Master (QSM) plugin for WordPress contains a vulnerability that allows SQL Injection through the 'merged_question' parameter in all versions up to 10.3.5. This security flaw arises due to insufficient sanitization of user-supplied inputs, enabling authenticated users with Contributor-level access and higher to inject malicious SQL queries. These queries can manipulate existing SQL commands and potentially extract sensitive information from the database due to the lack of proper input handling in the SQL IN() clause.

Affected Version(s)

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker 0 <= 10.3.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/quiz-master-ne...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Feb 12, 2026

Credit

Thanh Hao

CVE-2026-2412 Data

JSON