PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13767 expresstech CVE debrief

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsm_ajax_save_pages() AJAX handler (sanitize_text_field only) and lack of sufficient preparation on the existing SQL query built in qsm_options_questions_tab_content() at line 143, where the stored page IDs are interpolated into an IN() clause via implode() with no $wpdb->prepare() and no integer casting.

Vendor
expresstech
Product
Quiz and Survey Master (QSM) – Quiz Maker & Survey Maker
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Authenticated attackers with Author-level access and above who can own a quiz they are entitled to edit, as well as users viewing the quiz's Questions tab, should be aware of this vulnerability.

Technical summary

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. The vulnerability exists due to insufficient escaping on the user-supplied 'pages' parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with Author-level access and above to plant a SQL payload that is executed second-order whenever any user views the quiz's Questions tab.

Defensive priority

Medium priority due to the CVSS score of 6.5 and the potential for sensitive information extraction.

Recommended defensive actions

  • Update the Quiz Master Next plugin to a version beyond 11.2.0.
  • Restrict access to the quiz's Questions tab to only trusted users.
  • Monitor database queries for suspicious activity.
  • Implement a Web Application Firewall (WAF) to detect and prevent SQL injection attacks.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-16T09:16:16.943Z and has not been modified since then. The NVD entry is currently Received. This SQL injection vulnerability exists in the Quiz Master Next plugin for WordPress versions up to, and including, 11.2.0. Authenticated attackers with Author-level access and above can exploit this by planting a SQL payload that is executed second-order when any user views the quiz's Questions tab, allowing them to append additional SQL queries into existing queries to extract sensitive information from the database. Evidence is limited to public CVE and NVD information. Defenders should verify affected deployments, review official advisories, and monitor for suspicious database queries.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:16.943Z and has not been modified since then. The NVD entry is currently Received.