CVE-2026-5797 Overview
The Quiz And Survey Master plugin for WordPress contains an Arbitrary Shortcode Execution vulnerability in versions up to and including 11.1.0. This security flaw arises from insufficient input sanitization combined with the unsafe execution of do_shortcode() on user-submitted quiz answer text. The plugin's reliance on sanitize_text_field() and htmlspecialchars() functions proves inadequate, as these methods only strip HTML tags but fail to encode or remove WordPress shortcode brackets [ and ].
When quiz results are displayed to users, the plugin invokes do_shortcode() on the entire results page output, including user-submitted answers. This behavior enables attackers to inject arbitrary WordPress shortcodes that execute in the context of the WordPress installation.
Critical Impact
Unauthenticated attackers can inject arbitrary WordPress shortcodes to access other users' quiz submissions without authorization, bypassing access controls entirely.
Affected Products
- Quiz And Survey Master plugin for WordPress versions up to and including 11.1.0
- WordPress installations utilizing the vulnerable plugin versions
- Sites with publicly accessible quiz forms
Discovery Timeline
- 2026-04-17 - CVE-2026-5797 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-5797
Vulnerability Analysis
This vulnerability represents a classic case of improper input validation (CWE-74) where the trust boundary between user input and application logic is improperly defined. The Quiz And Survey Master plugin processes user-submitted quiz answers through sanitization functions designed primarily for HTML content, but WordPress shortcodes operate outside the HTML parsing context.
The core issue lies in the plugin's architecture where user-controlled data flows from quiz submissions into the results rendering pipeline. The sanitize_text_field() function removes HTML tags, scripts, and encoding, while htmlspecialchars() converts special HTML characters. However, neither function addresses WordPress-specific shortcode syntax, which uses square brackets rather than angle brackets.
When the results page is generated, the do_shortcode() function parses the entire output looking for registered shortcode patterns. Any shortcode syntax present in user answers—including injected malicious shortcodes—gets executed with the privileges of the WordPress installation.
Root Cause
The root cause is a combination of insufficient input sanitization and overly permissive output processing. The plugin applies HTML-centric sanitization to user input but fails to account for the WordPress shortcode API. The do_shortcode() function is called on a composite string containing both trusted template content and untrusted user data, creating an injection point.
The vulnerable code paths exist in multiple class files including the quiz manager class (class-qmn-quiz-manager.php), results pages class (class-qsm-results-pages.php), and question review classes. These components collectively allow shortcode-containing answers to persist and later execute.
Attack Vector
An attacker exploits this vulnerability by submitting quiz answers containing WordPress shortcode syntax. The attack requires no authentication and can be performed by any user with access to a public quiz form.
The attack proceeds as follows: An attacker submits a quiz answer containing a shortcode such as [qsm_result id=X] where X represents another user's quiz submission ID. When this answer is displayed on a results page, do_shortcode() processes the injected shortcode. The qsm_result shortcode itself lacks authorization checks, allowing the attacker to view quiz submissions belonging to other users.
This attack can potentially be extended to execute other registered shortcodes depending on the WordPress installation's configuration and installed plugins.
Detection Methods for CVE-2026-5797
Indicators of Compromise
- Quiz answer submissions containing square bracket patterns resembling WordPress shortcodes (e.g., [shortcode_name attribute="value"])
- Unexpected shortcode execution errors in WordPress error logs
- Database entries in quiz answer tables containing shortcode syntax
- Unusual access patterns to quiz result pages with enumerated IDs
Detection Strategies
- Implement web application firewall (WAF) rules to detect shortcode patterns in form submissions to quiz endpoints
- Monitor WordPress debug logs for unexpected shortcode parsing activity during results page generation
- Review database tables storing quiz answers for entries containing [ and ] bracket combinations
- Audit access logs for sequential requests to quiz result endpoints indicating ID enumeration attempts
Monitoring Recommendations
- Enable WordPress debug logging temporarily to capture shortcode execution traces during suspected exploitation
- Configure intrusion detection systems to alert on form submissions containing bracket-delimited patterns to quiz-related endpoints
- Implement rate limiting on quiz submission endpoints to slow down automated exploitation attempts
- Set up database monitoring to detect unusual SELECT queries against quiz submission tables
How to Mitigate CVE-2026-5797
Immediate Actions Required
- Update the Quiz And Survey Master plugin to the latest patched version immediately
- Audit existing quiz submission data for evidence of shortcode injection attempts
- Review WordPress access logs for suspicious activity targeting quiz endpoints
- Consider temporarily disabling public quiz access until the patch is applied
Patch Information
A security patch addressing this vulnerability is available. The fix involves properly sanitizing shortcode brackets from user-submitted content before storage and/or preventing do_shortcode() from processing user-controlled portions of the results output.
Review the WordPress Changeset Log for technical details on the implemented fix. Additional vulnerability information is available in the Wordfence Vulnerability Report.
Workarounds
- Implement a custom input filter to strip or encode square brackets from quiz answer submissions before database storage
- Use a WAF rule to block requests containing shortcode-like patterns in quiz form fields
- Restrict quiz access to authenticated users only until the patch can be applied
- Add a mu-plugin (must-use plugin) that hooks into quiz answer processing to sanitize shortcode syntax
# Example: Add shortcode bracket sanitization via wp-config.php filter
# Add to theme functions.php or custom plugin as temporary mitigation
# This is a conceptual example - implement proper sanitization:
# 1. Hook into quiz answer processing
# 2. Strip or encode [ and ] characters from user input
# 3. Test thoroughly before deploying to production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
