SQL Injection Vulnerability in Quiz and Survey Master Plugin for WordPress
CVE-2026-6448

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-6448?

The Quiz and Survey Master (QSM) plugin for WordPress is susceptible to time-based blind SQL Injection due to inadequate escaping of the 'order' parameter in SQL queries. This vulnerability allows authenticated attackers with admin-level access to inject additional SQL commands, potentially compromising sensitive database information. Furthermore, if the secret key becomes exposed, even users with lower privileges can exploit this vulnerability, raising critical security concerns for WordPress site administrators.

Affected Version(s)

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker 0 <= 11.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/quiz-master-ne...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Drew Webber

CVE-2026-6448 Data

JSON