CVE-2026-5797: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in expresstech Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
The Quiz And Survey Master (QSM) WordPress plugin up to version 11. 1. 0 is vulnerable to arbitrary shortcode execution due to improper sanitization of user-submitted quiz answers. The plugin executes do_shortcode() on quiz results output, allowing injected shortcodes to run. This enables unauthenticated attackers to inject shortcodes like [qsm_result id=X] to view other users' quiz submissions without authorization. The vulnerability arises because sanitize_text_field() and htmlspecialchars() do not remove shortcode brackets, and the qsm_result shortcode lacks authorization checks.
AI Analysis
Technical Summary
CVE-2026-5797 is an injection vulnerability (CWE-74) in the Quiz And Survey Master WordPress plugin (up to version 11.1.0). User-submitted quiz answers are sanitized only by sanitize_text_field() and htmlspecialchars(), which do not remove shortcode brackets. When displaying quiz results, the plugin calls do_shortcode() on the entire output, including user answers, allowing execution of arbitrary shortcodes. Attackers can exploit this to inject shortcodes such as [qsm_result id=X] to access other users' quiz results without authorization, due to missing authorization checks in the shortcode handler.
Potential Impact
An unauthenticated attacker can inject arbitrary WordPress shortcodes via quiz answers, leading to unauthorized access to other users' quiz submissions. This compromises user privacy and data confidentiality within the affected plugin. There is no direct impact on system availability or integrity reported. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should consider disabling the Quiz And Survey Master plugin or restricting quiz answer inputs to trusted users. Monitoring plugin updates from expresstech is recommended to apply an official fix once released. Avoid using untrusted user input in shortcode execution contexts.
CVE-2026-5797: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in expresstech Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Description
The Quiz And Survey Master (QSM) WordPress plugin up to version 11. 1. 0 is vulnerable to arbitrary shortcode execution due to improper sanitization of user-submitted quiz answers. The plugin executes do_shortcode() on quiz results output, allowing injected shortcodes to run. This enables unauthenticated attackers to inject shortcodes like [qsm_result id=X] to view other users' quiz submissions without authorization. The vulnerability arises because sanitize_text_field() and htmlspecialchars() do not remove shortcode brackets, and the qsm_result shortcode lacks authorization checks.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5797 is an injection vulnerability (CWE-74) in the Quiz And Survey Master WordPress plugin (up to version 11.1.0). User-submitted quiz answers are sanitized only by sanitize_text_field() and htmlspecialchars(), which do not remove shortcode brackets. When displaying quiz results, the plugin calls do_shortcode() on the entire output, including user answers, allowing execution of arbitrary shortcodes. Attackers can exploit this to inject shortcodes such as [qsm_result id=X] to access other users' quiz results without authorization, due to missing authorization checks in the shortcode handler.
Potential Impact
An unauthenticated attacker can inject arbitrary WordPress shortcodes via quiz answers, leading to unauthorized access to other users' quiz submissions. This compromises user privacy and data confidentiality within the affected plugin. There is no direct impact on system availability or integrity reported. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should consider disabling the Quiz And Survey Master plugin or restricting quiz answer inputs to trusted users. Monitoring plugin updates from expresstech is recommended to apply an official fix once released. Avoid using untrusted user input in shortcode execution contexts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-08T14:08:20.955Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1d07582d89c981f98f516
Added to database: 4/17/2026, 6:17:25 AM
Last enriched: 4/24/2026, 4:22:07 PM
Last updated: 6/3/2026, 9:36:56 PM
Views: 60
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.