PatchSiren cyber security CVE debrief
CVE-2026-13767 expresstech CVE debrief
The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsm_ajax_save_pages() AJAX handler (sanitize_text_field only) and lack of sufficient preparation on the existing SQL query built in qsm_options_questions_tab_content() at line 143, where the stored page IDs are interpolated into an IN() clause via implode() with no $wpdb->prepare() and no integer casting.
- Vendor
- expresstech
- Product
- Quiz and Survey Master (QSM) – Quiz Maker & Survey Maker
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Authenticated attackers with Author-level access and above who can own a quiz they are entitled to edit, as well as users viewing the quiz's Questions tab, should be aware of this vulnerability.
Technical summary
The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. The vulnerability exists due to insufficient escaping on the user-supplied 'pages' parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with Author-level access and above to plant a SQL payload that is executed second-order whenever any user views the quiz's Questions tab.
Defensive priority
Medium priority due to the CVSS score of 6.5 and the potential for sensitive information extraction.
Recommended defensive actions
- Update the Quiz Master Next plugin to a version beyond 11.2.0.
- Restrict access to the quiz's Questions tab to only trusted users.
- Monitor database queries for suspicious activity.
- Implement a Web Application Firewall (WAF) to detect and prevent SQL injection attacks.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-16T09:16:16.943Z and has not been modified since then. The NVD entry is currently Received. This SQL injection vulnerability exists in the Quiz Master Next plugin for WordPress versions up to, and including, 11.2.0. Authenticated attackers with Author-level access and above can exploit this by planting a SQL payload that is executed second-order when any user views the quiz's Questions tab, allowing them to append additional SQL queries into existing queries to extract sensitive information from the database. Evidence is limited to public CVE and NVD information. Defenders should verify affected deployments, review official advisories, and monitor for suspicious database queries.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:16.943Z and has not been modified since then. The NVD entry is currently Received.