CVE-2025-10042

MEDIUM

Ays-pro Quiz Maker < 6.7.0.57 - SQL Injection

Title source: rule

Description

The Quiz Maker plugin for WordPress is vulnerable to SQL Injection via spoofed IP headers in all versions up to, and including, 6.7.0.56 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable in configurations where the server is set up to retrieve the IP from a user-supplied field like `X-Forwarded-For` and limit users by IP is enabled.

Exploits (3)

exploitdb WORKING POC

by Rahul Sreenivasan · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52465

View Code ZIP pw:eip

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-10042

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by fumioryoto · poc

https://github.com/fumioryoto/Quiz-Maker-SQL-Injection-CVE-2025-10042

View Code ZIP pw:eip

References (4)

[Product] https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.52/public/class-quiz-maker-public.php

[Product] https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.52/public/class-quiz-maker-public.php#L7145

[Product] https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.57/public/class-quiz-maker-public.php#L7149

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/4eeae6dd-a41f-4878-aa92-064ec78367d7?source=cve

Scores

CVSS v3 5.9

EPSS 0.0004

EPSS Percentile 13.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (2)

ays-pro/Quiz Maker < 6.7.0.56

ays-pro/quiz_maker < 6.7.0.57

Published Sep 17, 2025

Tracked Since Feb 18, 2026