The Quiz And Survey Master plugin for WordPress allows attackers to access quiz answers

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

The Quiz And Survey Master plugin for WordPress allows attackers to access quiz answers

CVE-2026-5797

Summary

The Quiz And Survey Master plugin for WordPress, used to create quizzes and surveys, is vulnerable to a security issue that allows hackers to access other users' quiz answers without permission. This is because the plugin doesn't properly check user input, allowing attackers to inject malicious code. To fix this, update the plugin to version 11.1.1 or later.

Original title

Original description

The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_text_field() and htmlspecialchars(), which only strip HTML tags but do not encode or remove shortcode brackets [ and ]. When quiz results are displayed, the plugin calls do_shortcode() on the entire results page output (including user answers), causing any injected shortcodes to be executed. This makes it possible for unauthenticated attackers to inject arbitrary WordPress shortcodes such as [qsm_result id=X] to access other users' quiz submissions without authorization, as the qsm_result shortcode lacks any authorization checks.

nvd CVSS3.1 5.3

Vulnerability type

CWE-74 Injection

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026