Quiz Maker <= 6.5.8.3 - Unauthenticated SQL Injection via 'ays_questions' Parameter

Wordfence Intelligence   >   Vulnerability Database   >   Quiz Maker <= 6.5.8.3 - Unauthenticated SQL Injection via 'ays_questions' Parameter
9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE CVE-2024-6028
CVSS 9.8 (Critical)
Publicly Published June 24, 2024
Last Updated June 25, 2024
Researcher Arkadiusz Hydzik

Description

The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Learn more about SQL Injection vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for Quiz Maker by AYS

Quiz Maker by AYS

Software Type Plugin
Software Slug quiz-maker (view on wordpress.org)
Patched? Yes
Remediation Update to version 6.5.8.4, or a newer patched version
Affected Version
  • <= 6.5.8.3
Patched Version
  • 6.5.8.4

Recent vulnerabilities in Quiz Maker by AYS

Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason'
5.8
CVE-2026-6817
May 1, 2026
Researcher: CHOIGYEONGMIN
Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
CVE-2026-2384
Feb 19, 2026
Researcher: Muhammad Yudha - DJ
Quiz Maker <= 6.7.1.2 - Cross-Site Request Forgery
4.3
CVE-2026-32342
Feb 10, 2026
Researcher: w41bu1
Quiz Maker <= 6.7.0.88 - Authenticated (Admin+) Stored Cross-Site Scripting
4.4
CVE-2025-14579
Dec 22, 2025
Researcher: Bakir Tučić
Quiz Maker <= 6.7.0.82 - Cross-Site Request Forgery
4.3
CVE-2025-67595
Dec 2, 2025
Researcher: Doan Dinh Van
Quiz Maker <= 6.7.0.80 - Unauthenticated Sensitive Information Exposure
5.3
CVE-2025-12426
Nov 18, 2025
Researcher: Rafshanzani Suhada
Quiz Maker <= 6.7.0.65 - Unauthenticated Sensitive Information Exposure
5.3
CVE-2025-58015
Sep 22, 2025
Researcher: Muhammad Zidan Ali Mansur
Quiz Maker <= 6.7.0.64 - Cross-Site Request Forgery
4.3
CVE-2025-58014
Sep 22, 2025
Researcher: Muhammad Zidan Ali Mansur
Quiz Maker <= 6.7.0.56 - Unauthenticated SQL Injection
5.9
CVE-2025-10042
Sep 16, 2025
Researcher: Rahul Sreenivasan (Tr0j4n)
Quiz Maker <= 6.5.9.8 - Authenticated (Admin+) Stored Cross-Site Scripting
4.4
CVE-2024-8617
Sep 16, 2024
Researcher: Krugov Artyom
# Title CVE ID CVSS Researchers Date
1 Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason' CVE-2026-6817 5.8 CHOIGYEONGMIN May 1, 2026
2 Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2026-2384 6.4 Muhammad Yudha - DJ February 19, 2026
3 Quiz Maker <= 6.7.1.2 - Cross-Site Request Forgery CVE-2026-32342 4.3 w41bu1 February 10, 2026
4 Quiz Maker <= 6.7.0.88 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2025-14579 4.4 Bakir Tučić December 22, 2025
5 Quiz Maker <= 6.7.0.82 - Cross-Site Request Forgery CVE-2025-67595 4.3 Doan Dinh Van December 2, 2025
6 Quiz Maker <= 6.7.0.80 - Unauthenticated Sensitive Information Exposure CVE-2025-12426 5.3 Rafshanzani Suhada November 18, 2025
7 Quiz Maker <= 6.7.0.65 - Unauthenticated Sensitive Information Exposure CVE-2025-58015 5.3 Muhammad Zidan Ali Mansur September 22, 2025
8 Quiz Maker <= 6.7.0.64 - Cross-Site Request Forgery CVE-2025-58014 4.3 Muhammad Zidan Ali Mansur September 22, 2025
9 Quiz Maker <= 6.7.0.56 - Unauthenticated SQL Injection CVE-2025-10042 5.9 Rahul Sreenivasan (Tr0j4n) September 16, 2025
10 Quiz Maker <= 6.5.9.8 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2024-8617 4.4 Krugov Artyom September 16, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation