CVE-2025-9318 Overview
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress contains a time-based SQL Injection vulnerability in the is_linking parameter. This security flaw affects all versions up to and including 10.3.1 and stems from insufficient escaping on user-supplied parameters combined with inadequate preparation of existing SQL queries. Authenticated attackers with Subscriber-level access or above can exploit this vulnerability to append malicious SQL queries, potentially extracting sensitive information from the WordPress database.
Critical Impact
Authenticated attackers can leverage this SQL Injection vulnerability to extract sensitive database information including user credentials, personally identifiable information, and other confidential data stored in the WordPress database.
Affected Products
- Quiz and Survey Master (QSM) plugin for WordPress versions up to and including 10.3.1
- WordPress installations with QSM plugin and Subscriber-level or higher authenticated users
Discovery Timeline
- 2026-01-06 - CVE CVE-2025-9318 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-9318
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), specifically a time-based blind SQL injection variant. The flaw exists within the plugin's REST API endpoint, where the is_linking parameter is processed without proper sanitization or parameterized query handling. Time-based SQL injection allows attackers to infer database contents by observing response time differences when injecting conditional SQL statements with time-delay functions.
The attack requires network access and authentication at the Subscriber level, which is the lowest tier of authenticated WordPress user. While this authentication requirement provides some protection, Subscriber accounts are commonly available on many WordPress sites that allow user registration. The vulnerability allows attackers to read sensitive database contents but does not permit data modification or system availability impact.
Root Cause
The root cause of this vulnerability is insufficient input validation and improper handling of user-supplied data in SQL queries. The is_linking parameter is passed directly into an SQL query without adequate escaping or the use of prepared statements with parameterized queries. This allows specially crafted input to manipulate the underlying SQL query structure.
The vulnerable code can be found in the plugin's REST API handler at php/rest-api.php. The lack of WordPress's built-in $wpdb->prepare() function or equivalent parameterization leaves the query susceptible to injection attacks.
Attack Vector
The attack vector for this vulnerability is network-based, requiring the attacker to have authenticated access to the WordPress installation with at least Subscriber-level privileges. The attacker exploits the vulnerability by sending specially crafted HTTP requests to the REST API endpoint, manipulating the is_linking parameter to inject malicious SQL statements.
In a time-based blind SQL injection attack, the attacker uses conditional SQL statements combined with time-delay functions (such as MySQL's SLEEP() function) to extract data one character at a time by observing response timing differences. This method is slower but effective when direct query output is not visible to the attacker.
The vulnerability mechanism involves manipulating the is_linking parameter in API requests to the Quiz and Survey Master plugin's REST API endpoint. Attackers can inject time-based SQL payloads that cause measurable delays when specific conditions are met, allowing gradual extraction of database contents. For detailed technical analysis, refer to the Wordfence Vulnerability Analysis and the vulnerable source code reference.
Detection Methods for CVE-2025-9318
Indicators of Compromise
- Unusual REST API requests to QSM plugin endpoints containing SQL syntax patterns or time-delay functions such as SLEEP() or BENCHMARK()
- HTTP request logs showing repeated requests to the same endpoint with incrementally varying parameter values
- Database query logs displaying abnormally long execution times or containing injected SQL commands
- Web Application Firewall (WAF) alerts for SQL injection patterns targeting the is_linking parameter
Detection Strategies
- Enable and monitor WordPress REST API access logs for suspicious patterns targeting the Quiz and Survey Master plugin endpoints
- Deploy a Web Application Firewall (WAF) with SQL injection detection rules that can identify time-based injection attempts
- Implement database query logging and alerting for queries containing common SQL injection payloads or unusually long execution times
- Use SentinelOne Singularity to monitor for anomalous web application behavior and potential data exfiltration attempts
Monitoring Recommendations
- Configure real-time alerting for REST API requests containing SQL keywords or special characters in the is_linking parameter
- Monitor database performance metrics for unusual spikes in query execution time that may indicate time-based SQL injection attempts
- Review authentication logs for Subscriber-level accounts exhibiting suspicious API access patterns
- Implement rate limiting on REST API endpoints to slow down automated injection attempts
How to Mitigate CVE-2025-9318
Immediate Actions Required
- Update the Quiz and Survey Master plugin to the latest version that addresses this vulnerability
- Review and audit Subscriber-level user accounts for any unauthorized or suspicious registrations
- Temporarily disable the QSM plugin if an immediate update is not possible and the plugin is not critical to operations
- Enable a Web Application Firewall with SQL injection protection rules while awaiting the patch
Patch Information
Organizations should update the Quiz and Survey Master plugin to a version newer than 10.3.1 that includes the security fix. Check the official WordPress plugin repository or the vendor's release notes for the patched version. For technical details about the vulnerability and the fix, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Implement a Web Application Firewall (WAF) rule to filter and block requests containing SQL injection patterns in the is_linking parameter
- Restrict Subscriber-level user registration if not required for business operations, reducing the potential attack surface
- Use WordPress security plugins to add additional input validation layers for REST API requests
- Consider implementing IP-based access controls to limit REST API access to trusted networks only
# Example WAF rule concept for ModSecurity to block SQL injection in is_linking parameter
# Note: Test thoroughly in a staging environment before production deployment
SecRule ARGS:is_linking "@detectSQLi" \
"id:1000001,\
phase:2,\
deny,\
status:403,\
log,\
msg:'SQL Injection attempt detected in is_linking parameter',\
tag:'application-multi',\
tag:'CVE-2025-9318'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
