VYPR

Quiz and Survey Master (QSM)

by WordPress

CVEs (48)

  • CVE-2020-35951CriJan 1, 2021
    risk 0.70cvss 9.9epss 0.76

    An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their…

  • CVE-2020-35949CriJan 1, 2021
    risk 0.65cvss 10.0epss 0.05

    An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type…

  • CVE-2023-28787CriMar 26, 2024
    risk 0.61cvss 9.3epss 0.02

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Quiz And Survey Master.This issue affects Quiz And Survey Master: from n/a through 8.1.4.

  • CVE-2024-3592CriJun 7, 2024
    risk 0.57cvss 9.9epss 0.00

    The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'question_id' parameter in all versions up to, and including, 9.0.1 due to insufficient escaping on the user supplied parameter and lack of…

  • CVE-2022-0180HigJan 17, 2022
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to hijack the authentication of administrators and conduct arbitrary operations via a specially crafted web page.

  • CVE-2021-24221HigApr 12, 2021
    risk 0.57cvss 8.8epss 0.02

    The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection.…

  • CVE-2025-55708HigAug 14, 2025
    risk 0.55cvss 8.5epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.2.4.

  • CVE-2024-5606HigJul 2, 2024
    risk 0.50cvss 8.8epss 0.01

    The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role

  • CVE-2021-36898HigOct 28, 2022
    risk 0.49cvss 7.5epss 0.01

    Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress.

  • CVE-2022-4032HigNov 29, 2022
    risk 0.47cvss 7.2epss 0.01

    The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible…

  • CVE-2026-48867HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions.

  • CVE-2026-40787HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.0.0 versions.

  • CVE-2023-47834MedNov 23, 2023
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ExpressTech Quiz And Survey Master plugin <= 8.1.13 versions.

  • CVE-2022-41652MedNov 18, 2022
    risk 0.42cvss 6.5epss 0.01

    Bypass vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress.

  • CVE-2023-0291HigJun 9, 2023
    risk 0.40cvss 7.2epss 0.02

    The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated…

  • CVE-2022-0181MedJan 17, 2022
    risk 0.40cvss 6.1epss 0.01

    Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to inject an arbitrary script via unspecified vectors.

  • CVE-2021-20792MedAug 18, 2021
    risk 0.40cvss 6.1epss 0.04

    Cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.1.14 allows a remote attacker to inject arbitrary script via unspecified vectors.

  • CVE-2021-24368MedJun 20, 2021
    risk 0.40cvss 6.1epss 0.01

    The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege…

  • CVE-2019-9575MedMar 5, 2019
    risk 0.40cvss 6.1epss 0.02

    The Quiz And Survey Master plugin 6.0.4 for WordPress allows wp-admin/admin.php?page=mlw_quiz_results quiz_id XSS.

  • CVE-2024-27966MedApr 11, 2024
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ExpressTech Quiz And Survey Master allows Stored XSS.This issue affects Quiz And Survey Master: from n/a through 8.2.2.

Page 1 of 3