SQL Injection Vulnerability in Quiz and Survey Master (QSM) Plugin Affecting 40k+ Sites
A SQL injection vulnerability (CVE-2025-67987) in the Quiz and Survey Master WordPress plugin, with over 40,000 active installations, allows any authenticated user with Subscriber-level access or higher to execute arbitrary SQL commands.
A critical SQL injection vulnerability has been discovered in the Quiz and Survey Master (QSM) WordPress plugin, a popular tool used on over 40,000 websites to create quizzes, surveys, and forms. Tracked as CVE-2025-67987, the flaw allows any authenticated user—even those with the lowest Subscriber role—to inject arbitrary SQL commands into the site's database, potentially extracting sensitive information such as user credentials, private data, and configuration details.
The vulnerability resides in the `qsm_rest_get_question` function, which handles REST API requests. The function retrieves an `is_linking` parameter from the request and, without any sanitization or validation, concatenates it directly into an SQL query. Specifically, the parameter is merged into a comma-separated list of IDs used in a `WHERE question_id IN (...)` clause. Because the code does not enforce that `is_linking` is an integer—using functions like `intval` or `is_int`—an attacker can supply a malicious string containing SQL statements. The query is executed via `$wpdb->get_results()` without using WordPress's prepared statement mechanism, which would normally separate SQL logic from data.
The impact is severe: any logged-in user can exploit this to read, modify, or delete database contents. Given that many WordPress sites have thousands of subscriber accounts (e.g., from membership plugins or comment systems), the attack surface is broad. The plugin's developer, ExpressTech, has released version 10.3.2, which patches the vulnerability by applying `intval` to the `is_linking` parameter, forcing it to an integer and eliminating injection possibilities. Users are strongly advised to update immediately.
The vulnerability was discovered and responsibly disclosed by Patchstack Alliance community member Doan Dinh Van. Patchstack, a WordPress security company, has included protections for its customers. This incident underscores the importance of input validation and the use of prepared statements in database queries, especially in plugins with large user bases. WordPress developers are reminded that any user-supplied data—even parameters not intended for direct user control—must be sanitized before being used in SQL operations.
This is not an isolated case; SQL injection remains one of the most common and dangerous vulnerability classes in WordPress plugins. The QSM flaw joins a long list of similar issues in popular plugins, highlighting the ongoing challenge of securing the WordPress ecosystem. Site administrators should audit their plugin inventories and ensure all software is kept up to date to mitigate such risks.