Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13767

CVE-2026-13767: Quiz Master Next WordPress SQLi Flaw

CVE-2026-13767 is a SQL injection vulnerability in Quiz Master Next plugin for WordPress affecting versions up to 11.2.0. Attackers with Author-level access can extract sensitive database information. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-13767 Overview

CVE-2026-13767 is a second-order SQL Injection vulnerability [CWE-89] in the Quiz Master Next plugin for WordPress, affecting all versions up to and including 11.2.0. The flaw resides in the qsm_ajax_save_pages() AJAX handler, which stores user-supplied quiz page data using only sanitize_text_field. The stored payload is later interpolated into a SQL IN() clause in qsm_options_questions_tab_content() without $wpdb->prepare() or integer casting. Authenticated attackers with Author-level access can plant a payload that executes when any user, including an administrator, views the quiz's Questions tab.

Critical Impact

Authenticated Author-level attackers can extract sensitive database contents through second-order SQL injection triggered when administrators view affected quiz pages.

Affected Products

  • Quiz Master Next plugin for WordPress
  • Versions up to and including 11.2.0
  • WordPress sites permitting Author-level user registration or delegation

Discovery Timeline

  • 2026-07-16 - CVE-2026-13767 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-13767

Vulnerability Analysis

The vulnerability is a classic stored, or second-order, SQL Injection. The plugin's qsm_ajax_save_pages() handler accepts a pages parameter containing quiz page IDs. It applies only sanitize_text_field(), which strips tags and normalizes whitespace but does not neutralize SQL metacharacters. The malicious payload is then persisted in the database.

When an administrator or any authorized user later opens the Questions tab of the affected quiz, qsm_options_questions_tab_content() reads the stored IDs at line 143 and joins them with implode() into a raw SQL IN() clause. Because the query is executed directly without $wpdb->prepare() and without integer casting, the attacker's payload is concatenated into the query text and evaluated by MySQL. This allows appending arbitrary SQL to exfiltrate data such as user credentials, session tokens, and WordPress options.

Root Cause

The root cause is improper neutralization of special elements used in a SQL command. sanitize_text_field() is a string-cleaning function intended for display, not query safety. Combined with unparameterized query construction via implode(), the trust boundary between stored user input and privileged query execution is broken.

Attack Vector

An authenticated user with Author-level access or above creates or edits a quiz they own and submits crafted pages data through the AJAX endpoint. The payload lies dormant in the database until a higher-privileged user views the Questions tab, at which point the injected SQL runs in the context of the WordPress database user. See the Wordfence Vulnerability Analysis for detailed exploitation notes.

Detection Methods for CVE-2026-13767

Indicators of Compromise

  • Unexpected SQL syntax fragments such as UNION, SELECT, or comment markers stored inside wp_postmeta or plugin-specific tables associated with Quiz Master Next quiz pages.
  • MySQL error log entries referencing malformed IN() clauses generated by options-page-questions-tab.php.
  • Author-level accounts recently modifying quizzes followed by administrator access to the Questions tab.

Detection Strategies

  • Review AJAX requests to admin-ajax.php with action=qsm_ajax_save_pages for non-numeric characters in the pages parameter.
  • Audit WordPress database rows for Quiz Master Next quiz page storage containing quotes, parentheses, or SQL keywords.
  • Correlate slow query log entries from administrator sessions with the Questions tab URL pattern.

Monitoring Recommendations

  • Enable WordPress database query logging on staging or forensic environments to capture unprepared IN() clauses.
  • Monitor the plugin file php/admin/options-page-questions-tab.php for integrity changes and confirm the patched version is deployed.
  • Track privilege changes and quiz ownership assignments for Author-level and Editor-level accounts.

How to Mitigate CVE-2026-13767

Immediate Actions Required

  • Update the Quiz Master Next plugin to a version above 11.2.0 that includes the fix referenced in the WordPress Quiz Master Change Log.
  • Restrict quiz authoring permissions to trusted accounts and remove Author-level access from untrusted users.
  • Audit existing quizzes for anomalous page ID content prior to patching, since malicious payloads persist across upgrades.

Patch Information

The plugin maintainers addressed the flaw by hardening the pages parameter handling and query construction. Review the source references for options-page-questions-tab.php line 143, line 1085, and the Quiz Master helper class to validate the fixed code paths.

Workarounds

  • Temporarily disable the Quiz Master Next plugin if immediate patching is not possible.
  • Deploy a Web Application Firewall rule blocking SQL metacharacters in the pages parameter of qsm_ajax_save_pages requests.
  • Sanitize existing stored quiz page IDs by forcing integer casting on plugin data before administrators re-open the Questions tab.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.