Expresstech Quiz And Survey Master vulnerabilities
46 known vulnerabilities affecting expresstech/quiz_and_survey_master.
Total CVEs
46
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH11MEDIUM30
Vulnerabilities
Page 2 of 3
CVE-2019-17599P4MEDIUMCVSS 6.1fixed in 6.3.52019-12-13
CVE-2019-17599 [MEDIUM] CWE-79 CVE-2019-17599: The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 for WordPress is affected by:
The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter (and/or the quiz_id parameter). The component is: admin/quiz-options-page.php. The attack vector is: When the Admi
nvd
CVE-2016-11085P4MEDIUMCVSS 6.5fixed in 4.7.92020-08-16
CVE-2016-11085 [MEDIUM] CWE-79 CVE-2016-11085: php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows C
php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element.
nvd
CVE-2022-4032P4MEDIUMCVSS 6.1≤ 8.0.42022-11-29
CVE-2022-4032 [MEDIUM] CWE-20 CVE-2022-4032: The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[
The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute w
nvd
CVE-2022-4033P4MEDIUMCVSS 5.3≤ 8.0.42022-11-29
CVE-2022-4033 [MEDIUM] CWE-20 CVE-2022-4033: The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'qu
The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values
nvd
CVE-2023-51507P4MEDIUMCVSS 5.3fixed in 8.1.17≥ n/a, ≤ 8.1.162024-06-14
CVE-2023-51507 [MEDIUM] CWE-862 CVE-2023-51507: Missing Authorization vulnerability in ExpressTech Quiz And Survey Master.This issue affects Quiz An
Missing Authorization vulnerability in ExpressTech Quiz And Survey Master.This issue affects Quiz And Survey Master: from n/a through 8.1.16.
nvd
CVE-2022-0181P4MEDIUMCVSS 6.1fixed in 7.3.7vversions prior to 7.3.72022-01-17
CVE-2022-0181 [MEDIUM] CWE-79 CVE-2022-0181: Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allow
Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to inject an arbitrary script via unspecified vectors.
nvd
CVE-2021-24368P4MEDIUMCVSS 6.1fixed in 7.1.182021-06-20
CVE-2021-24368 [MEDIUM] CWE-79 CVE-2021-24368: The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did no
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link
nvd
CVE-2024-10679P4MEDIUMCVSS 6.1fixed in 9.2.12025-03-25
CVE-2024-10679 [MEDIUM] CWE-79 CVE-2024-10679: The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of
The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
nvd
CVE-2022-0182P4MEDIUMCVSS 5.4fixed in 7.3.7vversions prior to 7.3.72022-01-17
CVE-2022-0182 [MEDIUM] CWE-79 CVE-2022-0182: Stored cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a
Stored cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote authenticated attacker to inject an arbitrary script via an website that uses Quiz And Survey Master.
nvd
CVE-2024-4934P4MEDIUMCVSS 5.5fixed in 9.0.22024-07-01
CVE-2024-4934 [MEDIUM] CWE-79 CVE-2024-4934: The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 does not validate and escape some of
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
nvd
CVE-2023-3575P4MEDIUMCVSS 5.4fixed in 8.1.112023-08-07
CVE-2023-3575 [MEDIUM] CWE-79 CVE-2023-3575: The Quiz And Survey Master WordPress plugin before 8.1.11 does not properly sanitize and escape ques
The Quiz And Survey Master WordPress plugin before 8.1.11 does not properly sanitize and escape question titles, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks
nvd
CVE-2021-36863P4MEDIUMCVSS 5.4≤ 7.3.42022-10-28
CVE-2021-36863 [MEDIUM] CWE-79 CVE-2021-36863: Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ExpressTech Quiz And Survey
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ExpressTech Quiz And Survey Master plugin <= 7.3.4 on WordPress.
nvd
CVE-2021-36905P4MEDIUMCVSS 5.4fixed in 7.3.5≤ 7.3.42022-11-17
CVE-2021-36905 [MEDIUM] CWE-79 CVE-2021-36905: Multiple Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Quiz And Survey M
Multiple Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Quiz And Survey Master plugin <= 7.3.4 on WordPress.
nvd
CVE-2023-47834P4MEDIUMCVSS 5.4≥ n/a, ≤ 8.1.132023-11-23
CVE-2023-47834 [MEDIUM] CWE-79 CVE-2023-47834: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ExpressTech Quiz And Survey Master plugin <= 8.1.13 versions.
nvd
CVE-2024-6025P4MEDIUMCVSS 5.4fixed in 9.0.52024-07-11
CVE-2024-6025 [MEDIUM] CWE-79 CVE-2024-6025: The Quiz and Survey Master (QSM) WordPress plugin before 9.0.5 does not sanitise and escape some of
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.5 does not sanitise and escape some of its Quiz settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks
nvd
CVE-2022-40698P4MEDIUMCVSS 6.1fixed in 7.3.11≤ 7.3.102022-11-18
CVE-2022-40698 [MEDIUM] CWE-79 CVE-2022-40698: Auth. (subscriber+) Cross-Site Scripting (XSS) vulnerability in Quiz And Survey Master plugin <= 7.3
Auth. (subscriber+) Cross-Site Scripting (XSS) vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress.
nvd
CVE-2025-9294P4MEDIUMCVSS 4.3fixed in 10.3.22026-01-06
CVE-2025-9294 [MEDIUM] CWE-285 CVE-2025-9294: The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete qu
nvd
CVE-2024-6390P4MEDIUMCVSS 5.9fixed in 9.1.02024-08-03
CVE-2024-6390 [MEDIUM] CWE-79 CVE-2024-6390: The Quiz and Survey Master (QSM) WordPress plugin before 9.1.0 does not properly sanitise and escap
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.0 does not properly sanitise and escape some of its Quizz settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
nvd
CVE-2021-36864P4MEDIUMCVSS 5.4≤ 7.3.42022-10-28
CVE-2021-36864 [MEDIUM] CWE-79 CVE-2021-36864: Auth. (editor+) Reflected Cross-Site Scripting (XSS) vulnerability in ExpressTech Quiz And Survey Ma
Auth. (editor+) Reflected Cross-Site Scripting (XSS) vulnerability in ExpressTech Quiz And Survey Master plugin <= 7.3.4 on WordPress.
nvd
CVE-2024-6879P4MEDIUMCVSS 4.7fixed in 9.1.12024-08-26
CVE-2024-6879 [MEDIUM] CWE-79 CVE-2024-6879: The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks.
nvd