SQL injection vulnerability found in popular WordPress plugin QSM

WordPress websites using the Quiz and Survey Master (QSM) plugin are at risk due to a critical SQL injection vulnerability. Versions 10.3.1 and below are affected, allowing logged-in users to potentially extract sensitive database data. WordPress administrators are strongly urged to update the QSM plugin to version 10.3.2 or newer to mitigate this security risk, based on information published by Tech Radar.

The vulnerability, tracked as CVE-2025-67987, allows any user with a subscriber-level account or higher to inject commands into the database. This could lead to data exfiltration and other unauthorized actions. With over 40,000 active installations, a significant portion of websites are estimated to be vulnerable, as at least 47.9% are running versions older than 10.3.2.

While there is no current evidence of the flaw being actively exploited in the wild, threat actors are expected to begin scanning for vulnerable sites. It is also recommended to remove any unused plugins and themes to minimize the attack surface.

Source: Tech Radar