Attack Vectors
CVE-2026-2412 is a Medium-severity (CVSS 6.5) SQL Injection vulnerability in the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker WordPress plugin (slug: quiz-master-next) affecting versions up to and including 10.3.5.
The attack requires an authenticated WordPress account with at least Contributor privileges (or any role that can reach the vulnerable functionality). An attacker can send a crafted value in the merged_question parameter to influence a database query. Because the vector is network-based and does not require user interaction, this is most relevant for organizations with multiple site users (marketing teams, agencies, freelancers, or content contributors) or any environment where logins are broadly distributed.
Security Weakness
The root issue is insufficient sanitization and unsafe query construction. The plugin applies sanitize_text_field() to the merged_question parameter, but that function does not block SQL metacharacters such as ), OR, AND, and #. The resulting value is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or safely casting values to integers.
In business terms: the plugin attempts to “clean” user input, but it does not enforce the strict “only numbers are allowed here” rule that this query needs. That gap enables SQL injection by authenticated users.
Technical or Business Impacts
Although this issue is rated Medium, the CVSS vector indicates a High confidentiality impact. Depending on what the vulnerable query can reach, SQL injection can expose sensitive information stored in the database. For many organizations, that database may include customer contact details, form submissions, campaign metadata, user accounts, or other operational data tied to marketing and web operations.
For marketing directors and executives, the practical risks include data exposure, loss of customer trust, and compliance and reporting obligations if regulated data is involved. Even if the attacker is “only” a low-privilege user, many real-world incidents begin with a compromised contributor account and escalate into broader business disruption.
Remediation: Update Quiz and Survey Master (QSM) to version 11.0.0 or newer (patched). Validate that any staging or secondary sites are updated as well, since attackers often target the weakest publicly reachable environment.
Similar Attacks
SQL injection remains one of the most commonly exploited web application weaknesses. High-profile examples include:
1) TalkTalk (2015) – attackers exploited a SQL injection weakness leading to a major data breach:
https://en.wikipedia.org/wiki/2015_TalkTalk_data_breach
2) Heartland Payment Systems (2008) – a widely cited breach involving SQL injection and large-scale payment card exposure:
https://en.wikipedia.org/wiki/Heartland_Payment_Systems
3) OWASP overview of SQL injection (background and common outcomes):
https://owasp.org/www-community/attacks/SQL_Injection
Recent Comments