- SQL injection flaw found in QSM plugin versions 10.3.1 and below
- The vulnerability allows registered users (subscribers or higher) to extract sensitive data from the database
- WordPress administrators are urged to update QSM to version 10.3.2 or later to mitigate risk
If your website is running the Quiz and Survey Master WordPress plugin, you may want to update it to the latest version or risk a potential cyber attack.
QSM allows users to create quizzes, surveys, and forms without coding, and is actively used by over 40,000 websites, but versions 10.3.1 and earlier were recently found to be vulnerable to a SQL injection flaw that allowed any logged-in user to inject commands into the database.
A Patchstack security advisory noted that this means that any user with a “subscriber” account, or one with higher privileges, could perform a wide range of unwanted actions on vulnerable websites, including data exfiltration.
How many websites are vulnerable?
Users are recommended to update to this or any newer version as soon as possible. According to the data from the official WordPress.org website, the latest version is 10.3.5.
Unfortunately, there is no way to know exactly how many websites have been patched and how many remain vulnerable. Official figures show that a small majority (52.1%) are using version 10.3, meaning that at least 47.9% (equivalent to 19,160 websites) are definitely vulnerable. Of the remaining 39,980, at least some are running the vulnerable version 10.3.1.
At this time, there is no evidence that the flaw has been abused in the wild, but given its popularity, it is safe to assume that threat actors will now start searching for websites that use QSM. The bug is now tracked as CVE-2025-67987 and was fixed in version 10.3.2.
As a general rule, WordPress users should always keep their website building platforms, as well as any plugins and themes they are using, up to date. Security professionals also recommend that all plugins and themes that are not actively used be completely removed from the servers.
Through Infosecurity Magazine
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
