CVE-2025-9318 is a time-based SQL Injection vulnerability identified in the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress, affecting all versions up to and including 10.3.1. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping of the 'is_linking' parameter supplied by users. This parameter is incorporated into SQL queries without adequate preparation or parameterization, allowing attackers with authenticated access at the Subscriber level or higher to inject additional SQL commands. The injection is time-based, enabling attackers to infer data by measuring response delays, which can be used to extract sensitive information from the underlying database. The vulnerability does not require user interaction beyond authentication and does not affect data integrity or availability, focusing primarily on confidentiality breaches. The CVSS 3.1 score of 6.5 reflects network attack vector, low attack complexity, requiring privileges but no user interaction, and a high impact on confidentiality. No patches or exploits are currently publicly available, but the risk remains significant due to the widespread use of WordPress and this plugin. The vulnerability highlights the importance of proper input validation and use of prepared statements in plugin development.

The primary impact of CVE-2025-9318 is unauthorized disclosure of sensitive information stored in the WordPress database, which may include user data, site configuration, or other confidential content managed by the plugin or WordPress installation. Since the vulnerability allows SQL Injection via an authenticated user with minimal privileges (Subscriber level), attackers can escalate their access to extract data beyond their intended scope. This can lead to privacy violations, data breaches, and potential compliance issues for organizations handling personal or sensitive data. Although the vulnerability does not directly affect data integrity or availability, the exposure of confidential information can facilitate further attacks such as privilege escalation, phishing, or lateral movement within the network. Organizations relying on the QSM plugin for quizzes and surveys risk reputational damage and legal consequences if exploited. The medium severity rating suggests that while exploitation requires some access, the ease of injection and high confidentiality impact make this a notable threat for WordPress sites using this plugin.

To mitigate CVE-2025-9318, organizations should immediately update the Quiz and Survey Master plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should consider the following specific measures: 1) Restrict Subscriber-level users from accessing or interacting with the vulnerable 'is_linking' parameter or related plugin functionalities through role hardening or capability restrictions. 2) Implement Web Application Firewall (WAF) rules to detect and block SQL Injection patterns targeting the 'is_linking' parameter, focusing on time-based injection signatures. 3) Employ database query logging and monitoring to detect anomalous query patterns indicative of injection attempts. 4) Review and sanitize all user inputs in custom code or plugin extensions to ensure proper escaping and use of parameterized queries. 5) Consider temporarily disabling the QSM plugin if it is not critical to operations until a secure version is released. 6) Conduct regular security audits and penetration testing focusing on plugin vulnerabilities and authenticated user privileges. These targeted actions go beyond generic advice by focusing on the specific parameter and user roles involved in this vulnerability.