- An SQL injection flaw in QSM plugin versions 10.3.1 and below was found
- Vulnerability allows logged-in users (Subscriber or higher) to extract sensitive database data
- WordPress admins urged to update QSM to v10.3.2 or newer to mitigate risk
If your website is running the Quiz and Survey Master WordPress plugin, you might want to update it to the latest version, or risk a possible cyberattack.
QSM lets users create quizzes, surveys, and forms without coding, with more than 40,000 websites actively using it – but recently, it was discovered versions 10.3.1 and older were vulnerable to an SQL injection flaw which allowed any logged-in user to inject commands into the database.
A security advisory from Patchstack noted this means any user with a “subscriber” account, or one with higher privileges, could perform a wide array of unwanted actions on vulnerable websites, including data exfiltration.
How many websites are vulnerable?
Users are advised to update to this, or any newer version, as soon as possible. As per data on the official WordPress.org website, the newest version is 10.3.5.
Unfortunately, there is no way of telling exactly how many websites are patched, and how many remain vulnerable. Official numbers are showing that a slim majority – 52.1% – are running version 10.3, which means that at least 47.9% – which equals 19,160 websites – are definitely vulnerable. Of the remaining 39,980, at least some are running the vulnerable version 10.3.1.
Right now, there is no evidence of the flaw being abused in the wild, but given its popularity, it is safe to assume that threat actors will now start scanning for websites using QSM. The bug is now tracked as CVE-2025-67987 and was fixed in version 10.3.2.
As a general rule of thumb, WordPress users should always keep their website builder platforms updated, as well as any plugins and themes they are using. Security professionals also advise that all plugins and themes that are not actively being used be deleted from the servers entirely.
Via Infosecurity Magazine
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
