CVE-2026-2412 is a SQL Injection vulnerability identified in the Quiz and Survey Master (QSM) plugin for WordPress, affecting all versions up to and including 10.3.5. The vulnerability is caused by improper neutralization of special SQL elements in the 'merged_question' parameter. Although the plugin applies the sanitize_text_field() function to this parameter, this function does not adequately filter out SQL metacharacters such as parentheses, OR, AND, and comment symbols (#). The parameter value is then directly concatenated into a SQL IN() clause without using WordPress's $wpdb->prepare() method or casting values to integers, which are standard practices to prevent SQL Injection. This flaw allows an authenticated attacker with Contributor-level privileges or higher to inject arbitrary SQL code into existing queries. Such injection can be leveraged to extract sensitive information from the database, compromising confidentiality. The vulnerability does not affect data integrity or availability, and no user interaction beyond authentication is required. No public exploits have been reported yet, but the vulnerability is publicly disclosed and assigned a CVSS 3.1 base score of 6.5 (medium severity). The plugin is widely used in WordPress environments, making the attack surface significant. The root cause is insecure coding practices around input sanitization and query construction in the plugin's handling of user input.

The primary impact of CVE-2026-2412 is unauthorized disclosure of sensitive information stored in the WordPress database via SQL Injection. Attackers with Contributor-level access can exploit this vulnerability to extract data beyond their normal permissions, potentially accessing user data, site configuration, or other confidential information. While the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the confidentiality breach can lead to further attacks such as privilege escalation, identity theft, or targeted phishing. Organizations running WordPress sites with the vulnerable QSM plugin are at risk, especially those with multiple contributors or less stringent access controls. The attack requires authenticated access, which limits exposure but does not eliminate risk, as Contributor accounts are common in collaborative environments. The widespread use of WordPress and QSM increases the potential scale of impact globally. Additionally, sensitive sectors such as education, media, and business that rely on quizzes and surveys for data collection may face reputational damage and compliance issues if data is leaked.

To mitigate CVE-2026-2412, organizations should immediately update the Quiz and Survey Master plugin to a patched version once available. In the absence of an official patch, site administrators should restrict Contributor-level access and above to trusted users only. Developers maintaining custom versions of the plugin should refactor the vulnerable code by replacing direct concatenation of the 'merged_question' parameter with parameterized queries using $wpdb->prepare() or by strictly casting inputs to integers before inclusion in SQL queries. Additionally, implement rigorous input validation and sanitization beyond sanitize_text_field(), specifically filtering out SQL metacharacters. Employ Web Application Firewalls (WAFs) with SQL Injection detection rules to provide an additional layer of defense. Regularly audit user roles and permissions to minimize the number of users with Contributor or higher privileges. Monitoring database query logs for unusual patterns can help detect exploitation attempts early. Finally, educate developers and administrators about secure coding practices and the risks of SQL Injection in WordPress plugins.