Quiz and Survey Master SQL Injection Vulnerability in WordPress Plugin

A SQL injection vulnerability has been identified in the Quiz and Survey Master (QSM) WordPress plugin, affecting all versions up to and including 10.3.5. The vulnerability arises from inadequate sanitization of user input in the 'merged_question' parameter, which is used in SQL queries. The applied sanitization function, sanitize_text_field(), fails to block SQL metacharacters such as ), OR, AND, and #. As a result, authenticated attackers with Contributor-level access or higher can manipulate SQL queries to extract sensitive database information.

Impact

Exploitation of this vulnerability allows authenticated attackers to inject and execute additional SQL commands, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the WordPress REST API that includes the 'merged_question' parameter. The parameter can be crafted to include SQL metacharacters, which will be processed by the server without proper sanitization. This can be done by using the 'is_linking' parameter to link quizzes together, effectively chaining the SQL injection attack.

Remediation

Users are advised to update the Quiz and Survey Master plugin to version 11.0.0 or later, where this vulnerability has been patched.