CVE-2025-67987

The Quiz And Survey Master plugin for WordPress (quiz-master-next) suffers from an SQL injection vulnerability due to improper neutralization of special elements in SQL commands. Versions through 10.3.1 fail to sanitize user-supplied input before incorporating it into database queries, enabling the injection of malicious SQL statements [1].

Attackers can exploit this vulnerability without authentication by sending crafted HTTP requests to vulnerable endpoints. The lack of input validation allows an unauthenticated attacker to manipulate SQL queries, bypassing intended restrictions and accessing the database directly [1].

Successful exploitation could allow an attacker to read, modify, or delete arbitrary data from the WordPress database, including user credentials, posts, and configuration settings. This can lead to complete site compromise, privilege escalation, or data exfiltration. The vulnerability is considered highly dangerous and is expected to become part of mass-exploit campaigns targeting thousands of sites [1].

Mitigation requires updating the plugin to version 10.3.2 or later. If immediate update is not possible, applying a web application firewall rule or temporary disablement of the plugin is recommended. Patchstack offers mitigation rules to block attacks until patched [1].