CVE-2025-9318 Overview
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress contains a time-based SQL injection vulnerability [CWE-89]. The flaw exists in the is_linking parameter and affects all versions up to and including 10.3.1. Insufficient escaping of user input combined with inadequate SQL statement preparation allows authenticated attackers with Subscriber-level access or higher to append arbitrary SQL queries. Successful exploitation enables extraction of sensitive data from the WordPress database.
Critical Impact
Authenticated attackers with Subscriber-level access can extract sensitive database contents, including user credentials, session tokens, and private quiz responses, through time-based SQL injection.
Affected Products
- Expresstech Quiz and Survey Master (QSM) plugin for WordPress
- All versions up to and including 10.3.1
- WordPress installations exposing the vulnerable REST API endpoint
Discovery Timeline
- 2026-01-06 - CVE-2025-9318 published to NVD
- 2026-01-09 - Last updated in NVD database
Technical Details for CVE-2025-9318
Vulnerability Analysis
The vulnerability resides in the plugin's REST API handler. The is_linking parameter is concatenated into a SQL query without proper sanitization or use of prepared statements. Because the input is passed directly into the query construction logic, an attacker can inject SQL fragments that the database engine executes alongside the original statement.
The injection is time-based, meaning attackers infer query results by measuring response delays produced by payloads such as SLEEP() functions. This blind technique extracts data one character at a time without requiring visible output in the response. Authenticated access at the Subscriber role is sufficient, which is the lowest privileged role in WordPress and trivially obtainable on sites with open registration.
Root Cause
The root cause is missing input escaping and the absence of $wpdb->prepare() parameterization on the SQL statement that consumes the is_linking parameter. The plugin trusts a client-controlled value and embeds it directly into the query string. WordPress provides the prepare() API to bind parameters safely, but this code path bypasses that mechanism.
Attack Vector
The attack vector is network-based and requires authentication. An attacker registers or authenticates as a Subscriber, then issues a crafted HTTP request to the vulnerable REST API endpoint documented in the WordPress Quiz Master API source. The is_linking parameter carries the malicious SQL payload appended to the legitimate value.
No verified proof-of-concept code has been published. Technical analysis is available in the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-9318
Indicators of Compromise
- HTTP requests to the QSM REST API endpoints containing SQL keywords such as SLEEP, BENCHMARK, UNION, or SELECT in the is_linking parameter
- Anomalously long response times on /wp-json/ endpoints tied to the quiz-master-next plugin
- New or unexpected Subscriber-level user registrations followed by API activity targeting QSM routes
- Database error log entries referencing malformed queries originating from the plugin
Detection Strategies
- Inspect web server and WordPress access logs for is_linking parameter values containing non-numeric or non-boolean content
- Deploy WAF rules that flag SQL injection patterns on plugin REST API routes
- Monitor MySQL slow query logs for repeated queries with sleep-based time delays correlated to plugin endpoints
- Correlate authentication events for low-privilege accounts with subsequent REST API calls to QSM
Monitoring Recommendations
- Enable WordPress audit logging to track all REST API calls made by Subscriber accounts
- Alert on user registration spikes when open registration is enabled
- Continuously scan installed plugins against vulnerability feeds for QSM version 10.3.1 and earlier
- Baseline normal request latency to plugin endpoints and alert on statistically significant deviations
How to Mitigate CVE-2025-9318
Immediate Actions Required
- Update the Quiz and Survey Master plugin to a version newer than 10.3.1 as soon as a patched release is available
- Disable open user registration if Subscriber accounts are not required for site functionality
- Audit existing Subscriber-level accounts and remove unrecognized users
- Review database logs for evidence of prior exploitation attempts targeting the is_linking parameter
Patch Information
No vendor advisory URL is listed in the NVD record at the time of publication. Site administrators should monitor the plugin's WordPress.org changelog and the Wordfence Vulnerability Report for fixed version information. Until a patch is installed, treat all QSM versions through 10.3.1 as vulnerable.
Workarounds
- Deactivate the QSM plugin until a fixed version is installed if quizzes and surveys are non-essential
- Apply a Web Application Firewall rule blocking SQL metacharacters in the is_linking parameter on QSM REST endpoints
- Restrict access to /wp-json/ endpoints by IP allowlist where feasible
- Enforce stronger role assignment policies so that anonymous visitors cannot self-register as Subscribers
# Example WAF rule (ModSecurity) blocking SQLi patterns on is_linking parameter
SecRule ARGS:is_linking "@rx (?i)(sleep|benchmark|union|select|--|/\*)" \
"id:1009318,phase:2,deny,status:403,\
msg:'CVE-2025-9318 QSM is_linking SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

