CVE-2026-6448 Overview
CVE-2026-6448 is a time-based blind SQL Injection vulnerability in the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress. The flaw affects all plugin versions up to and including 11.1.2. The vulnerability resides in the order parameter, which is not adequately escaped before being concatenated into a SQL query. Authenticated attackers with administrator-level access can append arbitrary SQL clauses to extract sensitive data from the WordPress database. If the plugin's secret key is exposed, lower-privileged users can also exploit the issue. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated attackers can extract database contents, including WordPress user credentials, session tokens, and configuration secrets, through time-based blind SQL injection in the order parameter.
Affected Products
- Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress
- All versions up to and including 11.1.2
- Vulnerable code paths located in class-qsm-quiz-api.php
Discovery Timeline
- 2026-06-06 - CVE-2026-6448 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-6448
Vulnerability Analysis
The vulnerability exists within the QSM quiz API class file class-qsm-quiz-api.php. Multiple code paths at lines 126, 131, 164, 243, and 374 construct SQL queries that incorporate the user-supplied order parameter. The plugin does not pass this parameter through $wpdb->prepare() with appropriate placeholders, nor does it apply a strict allowlist for ORDER BY direction values. Attackers leverage time-based blind SQL injection techniques, typically using functions like SLEEP() or BENCHMARK(), to infer database contents based on server response delays. Because ORDER BY clauses cannot be parameterized with standard placeholders in WordPress's wpdb abstraction, developers must validate these values against a strict allowlist. The plugin's failure to do so allows attackers to inject arbitrary SQL fragments.
Root Cause
The root cause is insufficient escaping of the order parameter combined with the lack of $wpdb->prepare() usage on the affected SQL statements. The plugin trusts user-controlled input destined for the ORDER BY clause without validating it against a fixed set of acceptable values such as ASC or DESC.
Attack Vector
Exploitation requires network access to a vulnerable WordPress instance and an authenticated account with administrator-level privileges. An attacker sends a crafted request to the QSM REST API endpoint, supplying a malicious payload in the order parameter. The injected SQL conditional triggers a measurable delay, allowing the attacker to extract data one bit at a time. When the plugin's secret key is leaked or guessable, the authentication requirement collapses, permitting lower-privileged users to reach the vulnerable code path. Refer to the Wordfence Vulnerability Report and the vulnerable source code for technical context.
Detection Methods for CVE-2026-6448
Indicators of Compromise
- Inbound HTTP requests to QSM REST API endpoints containing SQL keywords such as SLEEP(, BENCHMARK(, UNION SELECT, or IF( within the order parameter.
- Unusually long response times for QSM API endpoints, particularly responses delayed in regular increments consistent with binary search inference.
- Repeated authenticated requests from a single administrator or service account targeting QSM endpoints with varying order parameter values.
- Database error log entries referencing malformed ORDER BY clauses originating from QSM queries.
Detection Strategies
- Inspect web server access logs for requests to QSM-related REST routes that include non-alphabetic characters in the order query parameter.
- Deploy a web application firewall (WAF) rule that blocks values other than ASC or DESC (case-insensitive) in order parameters destined for the QSM plugin.
- Enable MySQL slow query logging and correlate slow ORDER BY queries with WordPress request logs.
Monitoring Recommendations
- Monitor WordPress administrator account activity for anomalous API usage patterns or sessions originating from unexpected IP addresses.
- Track plugin version inventory across WordPress deployments and alert when QSM versions at or below 11.1.2 are detected.
- Audit storage and transmission of the QSM secret key, treating any exposure as a credential compromise event.
How to Mitigate CVE-2026-6448
Immediate Actions Required
- Update the Quiz and Survey Master plugin to a patched version released after 11.1.2 as soon as the vendor publishes a fix.
- Restrict administrator account access and enforce multi-factor authentication on all WordPress administrative users.
- Rotate the QSM plugin secret key if there is any suspicion of exposure, and review where the key is stored.
- Review WordPress and database logs for evidence of prior exploitation, focusing on requests to QSM endpoints with anomalous order values.
Patch Information
The vendor changeset associated with the fix is published on the WordPress plugin repository. Review the WordPress Quiz Master Changeset for the corrective commit and upgrade to the latest available release of the plugin.
Workarounds
- Temporarily deactivate the QSM plugin until a patched release is installed.
- Apply a WAF rule that rejects any order parameter value not matching the regular expression ^(ASC|DESC)$ for requests targeting QSM endpoints.
- Limit access to /wp-json/ QSM routes through IP allowlisting on the web server or reverse proxy.
- Audit and revoke unused administrator accounts to reduce the attack surface for authenticated exploitation.
# Example nginx rule restricting the QSM 'order' parameter to ASC/DESC values
location ~* /wp-json/quiz-survey-master/ {
if ($arg_order !~* "^(ASC|DESC)?$") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
