{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5797", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-08T14:08:20.955Z", "datePublished": "2026-04-17T05:29:26.679Z", "dateUpdated": "2026-04-17T05:29:26.679Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T05:29:26.679Z"}, "affected": [{"vendor": "expresstech", "product": "Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "10.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_text_field() and htmlspecialchars(), which only strip HTML tags but do not encode or remove shortcode brackets [ and ]. When quiz results are displayed, the plugin calls do_shortcode() on the entire results page output (including user answers), causing any injected shortcodes to be executed. This makes it possible for unauthenticated attackers to inject arbitrary WordPress shortcodes such as [qsm_result id=X] to access other users' quiz submissions without authorization, as the qsm_result shortcode lacks any authorization checks."}], "title": "Quiz and Survey Master (QSM) <= 11.1.0 - Unauthenticated Shortcode Injection Leading to Arbitrary Quiz Result Disclosure via Quiz Answer Text Input Fields", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2aa33cc-c1c4-42d4-9c2f-54648426ee4b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qsm-results-pages.php#L193"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-results-pages.php#L193"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qmn-quiz-manager.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qmn-quiz-manager.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/question-types/class-question-review-text.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/question-types/class-question-review-text.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/question-types/class-question-review.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/question-types/class-question-review.php#L40"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3506094%40quiz-master-next&new=3506094%40quiz-master-next&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "cweId": "CWE-74", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2026-04-16T16:42:59.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_text_field() and htmlspecialchars(), which only strip HTML tags but do not encode or remove shortcode brackets [ and ]. When quiz results are displayed, the plugin calls do_shortcode() on the entire results page output (including user answers), causing any injected shortcodes to be executed. This makes it possible for unauthenticated attackers to inject arbitrary WordPress shortcodes such as [qsm_result id=X] to access other users' quiz submissions without authorization, as the qsm_result shortcode lacks any authorization checks."}], "id": "CVE-2026-5797", "lastModified": "2026-04-17T06:16:30.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T06:16:30.153", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qmn-quiz-manager.php#L572"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-results-pages.php#L193"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/question-types/class-question-review-text.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/question-types/class-question-review.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qmn-quiz-manager.php#L572"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qsm-results-pages.php#L193"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/question-types/class-question-review-text.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/question-types/class-question-review.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3506094%40quiz-master-next&new=3506094%40quiz-master-next&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2aa33cc-c1c4-42d4-9c2f-54648426ee4b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker", "source": "cna", "vendor": "expresstech"}, "product": "quiz_and_survey_master_(qsm)_\u2013_easy_quiz_and_survey_maker", "vendor": "expresstech"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T07:51:12.139649+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Quiz and Survey Master plugin (\u2265\u202f11.1.1) immediately.", "If an update cannot be deployed right away, modify the results rendering code to remove or escape any short\u2011code delimiters before calling do_shortcode(), or disable short\u2011code execution entirely on the results page.", "Disable or secure the qsm_result shortcode by adding an authorization check that verifies the current user has permission to view the specified quiz result."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated disclosure of private quiz results via arbitrary shortcode execution"}, "threat_synthesis": {"affected_systems": "Any WordPress site running Quiz and Survey Master version 11.1.0 or earlier, including all releases of the plugin up to that version. The affected component is the core plugin code that processes quiz answers and displays results. Users of this plugin are those who allow quiz participation without requiring authentication.", "description_and_impact": "The Quiz And Survey Master plugin for WordPress allows users to submit quiz answers that are not properly sanitized before being passed to the short\u2011code processor. Because the plugin calls do_shortcode() on the entire results page, any shortcodes embedded in user answers are executed. This flaw can be exploited by an unauthenticated attacker to inject shortcodes such as [qsm_result id=X], which then reveals the results of other users\u2019 quizzes. The vulnerability is a form of authorization bypass that results in the disclosure of confidential user data.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating moderate severity. No EPSS information is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting low to moderate exploitation probability until a public exploit becomes available. The exploit requires no special privileges and can be performed from any external web request containing a crafted quiz answer. The short\u2011code execution bypass makes the attack straightforward once the attacker identifies a target quiz. Because the flaw does not rely on any complex preconditions, it is likely to be discovered and used by attackers who wish to obtain users\u2019 quiz submissions."}}}}, "created": "2026-04-17T08:00:11.082663+00:00", "updated": "2026-04-17T08:01:12.670020+00:00", "vendors": ["expresstech", "expresstech$PRODUCT$quiz_and_survey_master_(qsm)_\u2013_easy_quiz_and_survey_maker", "wordpress", "wordpress$PRODUCT$wordpress"]}