CVE-2022-4032

HIGH

Quiz and Survey Master <8.0.4 - Code Injection

Title source: llm

Description

The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page.

References (3)

Core 3

Core References

Patch, Third Party Advisory

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2801761%40quiz-master-next&new=2801761%40quiz-master-next&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4032

https://www.wordfence.com/threat-intel/vulnerabilities/id/b901b3f8-8bbd-42ef-8e0c-de6d09c4950f?source=cve

Scores

CVSS v3 7.2

EPSS 0.0072

EPSS Percentile 49.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-79

Status published

Products (2)

expresstech/Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker < 8.0.4

expresstech/quiz_and_survey_master < 8.0.4

Published Nov 29, 2022

Tracked Since Feb 18, 2026