Arbitrary Shortcode Execution Vulnerability in Quiz And Survey Master Plugin by WordPress
CVE-2026-5797

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-5797?

The Quiz And Survey Master plugin for WordPress has a vulnerability that allows for Arbitrary Shortcode Execution due to inadequate input sanitization. Users' submitted quiz answers are not properly sanitized before being processed by the plugin, enabling attackers to inject malicious shortcodes. When the quiz results are displayed, the plugin executes these injected shortcodes without appropriate authorization checks, potentially exposing sensitive user information. This vulnerability affects versions up to and including 11.1.0, making it critical for site administrators to update to secure versions to prevent exploitation.

Affected Version(s)

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker 0 <= 10.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/quiz-master-ne...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Rafshanzani Suhada

CVE-2026-5797 Data

JSON