SQL Injection Flaw Affects 40,000 WordPress Sites

WordPress powers roughly 43 % of all websites, and its extensibility hinges on a massive ecosystem of third‑party plugins. Quiz and Survey Master (QSM) is among the most installed plugins, enabling marketers and educators to embed interactive quizzes, surveys, and forms without coding. The recent discovery of a SQL injection flaw in QSM—identified as CVE‑2025‑67987—exposed more than 40,000 active sites to data‑theft or manipulation risks. Because the vulnerability existed in versions up to 10.3.1, many operators were unknowingly running insecure software, underscoring how a single plugin can become a systemic attack vector across the WordPress landscape.

The defect originated in a REST‑API endpoint that retrieves quiz question data. The `_is_linking_` request parameter was treated as a numeric identifier but was concatenated directly into an SQL statement without any sanitisation or use of prepared statements. An attacker with merely a Subscriber‑level account could supply crafted input containing additional SQL commands, causing the database engine to execute unintended queries. This classic injection scenario bypasses the usual privilege barrier, allowing unauthorized read or write operations on the site’s underlying MySQL tables, and illustrates the danger of trusting user‑supplied data in server‑side code.

Patchstack’s responsible disclosure led to a rapid fix: version 10.3.2 now casts `_is_linking_` to an integer via `intval`, effectively blocking malicious payloads. The episode reinforces two best‑practice imperatives for the WordPress community. First, plugin developers must adopt parameterised queries and rigorous input validation as default coding standards. Second, site administrators should maintain an aggressive patch‑management cadence, monitoring vulnerability feeds and applying updates promptly. As the WordPress ecosystem continues to expand, the QSM incident serves as a cautionary reminder that even low‑privilege users can become vectors for high‑impact exploits if foundational security controls are neglected.