WordPress websites around the world are facing a serious cybersecurity risk due to a critical vulnerability in a widely used plugin called Quiz and Survey Master (QSM). This bug has triggered urgent warnings from cybersecurity experts and is being described as one of the most dangerous WordPress flaws in 2026 because of how many sites it affects and how easily it can be exploited.
What the Vulnerability Is
The issue lies in the Quiz and Survey Master (QSM) plugin, a tool installed on tens of thousands of WordPress sites to create quizzes, surveys, feedback forms, and similar interactive elements. Vulnerable versions of QSM (10.3.1 and older) contain a critical SQL injection flaw (tracked as CVE‑2025‑67987) that allows attackers with very low privileges even subscriber‑level users to inject malicious commands into database queries.
How This Flaw Works
An SQL Injection flaw occurs when user‑supplied data is improperly handled in a database query, allowing that data to be interpreted as part of the command itself. In this case, an attacker can manipulate database queries through QSM’s code because input parameters are not properly sanitized and prepared. This enables them to alter data, extract sensitive information, or perform unauthorized actions inside the database.
Scale and Risk
Security researchers estimate that over 40,000 WordPress sites using the vulnerable QSM plugin could be affected or at risk. Although there was no confirmed evidence of large‑scale active exploitation at the time of reporting, the ease of exploitation and number of vulnerable installations elevate the threat level significantly.
Potential Impact on Sites
If a hacker successfully exploits this vulnerability, they could.
- Inject malicious code into the database or website.
- Steal or manipulate sensitive data stored in the site’s database.
- Add malicious scripts that redirect users or display unwanted content.
- Use the compromised site for unauthorized actions like phishing or malware distribution.
This type of attack can damage a website’s integrity, disrupt business operations, and harm visitors’ security and privacy.
What Website Owners Should Do
- Update Immediately: The plugin developer has fixed the vulnerability in later versions of QSM (10.3.2 and above), so updating to the latest version is essential.
- Remove Unused Plugins/Themes: Unused components can create unnecessary attack surface.
- Use Security Plugins: Tools like Wordfence or Sucuri help detect and block malicious activity.
- Keep WordPress Updated: Regular updates reduce risk from known vulnerabilities.
Summary
A serious SQL injection vulnerability in the QSM WordPress plugin has been identified, affecting 40,000+ websites. The flaw lets attackers inject malicious commands into a site’s database, posing risks like data theft, code injection, and unauthorized actions. Websites using the vulnerable plugin must update immediately to the latest version.