More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected

A popular WordPress quiz plugin can be abused to mount SQL injection attacks

News By Sead Fadilpašić published 4 February 2026

(Image credit: Shutterstock)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• An SQL injection flaw in QSM plugin versions 10.3.1 and below was found
• Vulnerability allows logged-in users (Subscriber or higher) to extract sensitive database data
• WordPress admins urged to update QSM to v10.3.2 or newer to mitigate risk

If your website is running the Quiz and Survey Master WordPress plugin, you might want to update it to the latest version, or risk a possible cyberattack.

QSM lets users create quizzes, surveys, and forms without coding, with more than 40,000 websites actively using it - but recently, it was discovered versions 10.3.1 and older were vulnerable to an SQL injection flaw which allowed any logged-in user to inject commands into the database.

A security advisory from Patchstack noted this means any user with a “subscriber” account, or one with higher privileges, could perform a wide array of unwanted actions on vulnerable websites, including data exfiltration.

How many websites are vulnerable?

Users are advised to update to this, or any newer version, as soon as possible. As per data on the official WordPress.org website, the newest version is 10.3.5.

Unfortunately, there is no way of telling exactly how many websites are patched, and how many remain vulnerable. Official numbers are showing that a slim majority - 52.1% - are running version 10.3, which means that at least 47.9% - which equals 19,160 websites - are definitely vulnerable. Of the remaining 39,980, at least some are running the vulnerable version 10.3.1.

Right now, there is no evidence of the flaw being abused in the wild, but given its popularity, it is safe to assume that threat actors will now start scanning for websites using QSM. The bug is now tracked as CVE-2025-67987 and was fixed in version 10.3.2.

As a general rule of thumb, WordPress users should always keep their website builder platforms updated, as well as any plugins and themes they are using. Security professionals also advise that all plugins and themes that are not actively being used be deleted from the servers entirely.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors