- An SQL injection bug was found in QSM plugin version 10.3.1 and below
- Vulnerability allows logged in users (subscriber or higher) to extract sensitive database data
- WordPress admins are encouraged to update QSM to v10.3.2 or later to mitigate the risk
If your site is running the Quiz and Survey Master WordPress plugin, you may want to update it to the latest version or risk a possible cyber attack.
QSM lets users create quizzes, surveys and forms without coding, with more than 40,000 sites actively using it – but recently it was discovered that versions 10.3.1 and earlier were vulnerable to an SQL injection flaw that allowed any logged-in user to inject commands into the database.
A security advisory from Patchstack noted that this means any user with a “subscriber” account or one with higher privileges can perform a wide variety of unwanted actions on vulnerable websites, including data exfiltration.
How many websites are vulnerable?
Users are advised to update to this, or any newer version, as soon as possible. According to data on the official WordPress.org website, the latest version is 10.3.5.
Unfortunately, there is no way to tell exactly how many websites have been patched and how many remain vulnerable. Official figures show that a slim majority – 52.1% – are running version 10.3, meaning that at least 47.9% – which equates to 19,160 websites – are definitely vulnerable. Of the remaining 39,980, at least some are running the vulnerable version 10.3.1.
Right now, there is no evidence that the flaw is being exploited in the wild, but given its popularity, it’s safe to assume that threat actors will now start scanning websites using QSM. The bug is now tracked as CVE-2025-67987 and was fixed in version 10.3.2.
As a general rule of thumb, WordPress users should always keep their website builder platforms up to date, as well as any plugins and themes they use. Security experts also recommend that all plugins and themes that are not actively used be completely deleted from the servers.
Via Information security Magazine
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
