CVE-2025-9318 identifies a time-based SQL Injection vulnerability in the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker WordPress plugin, versions up to and including 10.3.1. The vulnerability stems from insufficient escaping and lack of proper parameterization of the 'is_linking' parameter within SQL queries. Authenticated attackers with at least Subscriber-level access can inject malicious SQL code by manipulating this parameter, enabling them to append additional SQL commands to existing queries. This can be exploited to extract sensitive information from the backend database, such as user credentials, personal data, or configuration details. The attack does not require user interaction beyond authentication and does not affect data integrity or availability, focusing primarily on confidentiality breaches. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting medium severity, with attack vector being network-based, low attack complexity, and requiring privileges but no user interaction. No public exploits are known at this time, but the presence of this vulnerability in a widely used WordPress plugin makes it a notable risk. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive data stored in WordPress databases, including user information and potentially business-critical data collected via quizzes and surveys. Since the attack requires only Subscriber-level access, which is commonly granted to registered users or customers, the attack surface is broad. Data breaches resulting from exploitation could lead to regulatory penalties under GDPR due to exposure of personal data. Additionally, reputational damage and loss of customer trust are likely consequences. Organizations relying on QSM for customer engagement or data collection face risks of data leakage and potential lateral movement if attackers leverage extracted credentials. The vulnerability does not directly impact system availability or integrity but compromises confidentiality, which is critical for compliance and privacy. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

Organizations should monitor for official patches from the plugin vendor and apply them promptly once available. Until a patch is released, restrict user roles to the minimum necessary privileges, avoiding granting Subscriber-level access to untrusted users. Implement Web Application Firewalls (WAFs) with SQL Injection detection and prevention rules tailored to WordPress environments to block malicious payloads targeting the 'is_linking' parameter. Conduct regular audits of user accounts to identify and remove unnecessary or suspicious accounts. Employ database activity monitoring to detect unusual query patterns indicative of SQL Injection attempts. Consider disabling or replacing the QSM plugin if it is not essential or if a timely patch is unavailable. Additionally, ensure WordPress core and other plugins are kept up to date to reduce overall attack surface. Educate administrators and developers about secure coding practices and parameterized queries to prevent similar vulnerabilities in custom plugins or themes.