More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected

1. Pro
2. Security

More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected News By Sead Fadilpašić published 4 February 2026

A popular WordPress quiz plugin can be abused to mount SQL injection attacks

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• An SQL injection flaw in QSM plugin versions 10.3.1 and below was found
• Vulnerability allows logged-in users (Subscriber or higher) to extract sensitive database data
• WordPress admins urged to update QSM to v10.3.2 or newer to mitigate risk

If your website is running the Quiz and Survey Master WordPress plugin, you might want to update it to the latest version, or risk a possible cyberattack.

QSM lets users create quizzes, surveys, and forms without coding, with more than 40,000 websites actively using it - but recently, it was discovered versions 10.3.1 and older were vulnerable to an SQL injection flaw which allowed any logged-in user to inject commands into the database.

A security advisory from Patchstack noted this means any user with a “subscriber” account, or one with higher privileges, could perform a wide array of unwanted actions on vulnerable websites, including data exfiltration.

You may like

• WordPress plugin with over a million installs may have a worrying security flaw - here's what we know
• 50,000 WordPress site affected in major plugin security flaw - here's how to stay safe
• Hackers exploit WordPress plugin security flaw exposing 40,000 websites to complete takeover risk - here's how to stay safe

How many websites are vulnerable?

Users are advised to update to this, or any newer version, as soon as possible. As per data on the official WordPress.org website, the newest version is 10.3.5.

Unfortunately, there is no way of telling exactly how many websites are patched, and how many remain vulnerable. Official numbers are showing that a slim majority - 52.1% - are running version 10.3, which means that at least 47.9% - which equals 19,160 websites - are definitely vulnerable. Of the remaining 39,980, at least some are running the vulnerable version 10.3.1.

Right now, there is no evidence of the flaw being abused in the wild, but given its popularity, it is safe to assume that threat actors will now start scanning for websites using QSM. The bug is now tracked as CVE-2025-67987 and was fixed in version 10.3.2.

As a general rule of thumb, WordPress users should always keep their website builder platforms updated, as well as any plugins and themes they are using. Security professionals also advise that all plugins and themes that are not actively being used be deleted from the servers entirely.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Via Infosecurity Magazine

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS WordPress Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more WordPress plugin with over a million installs may have a worrying security flaw - here's what we know    50,000 WordPress site affected in major plugin security flaw - here's how to stay safe    Hackers exploit WordPress plugin security flaw exposing 40,000 websites to complete takeover risk - here's how to stay safe    Sneeit WordPress RCE flaw allows hackers to add themselves as admin - here's how to stay safe    SAP fixes serious security issues - here's how to stay safe    This SmarterMail vulnerability allows Remote Code Execution - here's what we know    Latest in Security Linux users report Microsoft's Visual Studio Code Snap package isn't actually deleting files    Microsoft warns infostealer malware is 'rapidly expanding beyond traditional Windows-focused campaigns' and targeting Mac devices    Coinbase reveals insider breach did take place, customer info compromised    Russian hackers are targeting a new Office 365 zero-day, so patch now or face attack    Dangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safe    Malwarebytes and ChatGPT team up to check all of those suspicious texts, emails, and URLs with one simple phrase    Latest in News 'A bet for the future of cybersecurity' – Nord Security hits 400 patents as race for solutions against next-gen threats heats up    'Companies that are not set up to quickly adopt AI workers will be at a huge disadvantage': OpenAI Sam Altman warns firms not to fall behind on AI - but notes 'it’s going to take a lot of work and some risk'    More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected    AMD CEO assures us that Steam Machine is on track to ship 'early this year'    A next-gen Xbox could be here in 2027, but Microsoft's in a rough spot    Exclusive: Disney+ just added We Call It Imagineering, with new episodes on the way    LATEST ARTICLES

1. 17 privacy tips for your Android device to avoid prying eyes
2. 2Can you cook eggs with an espresso machine? 5 steam wand hacks tried and tested
3. 3'Companies that are not set up to quickly adopt AI workers will be at a huge disadvantage': OpenAI Sam Altman warns firms not to fall behind on AI - but notes 'it’s going to take a lot of work and some risk'
4. 4A next-gen Xbox could be here in 2027, but Microsoft's in a rough spot
5. 5Bridgerton season 4 part 2 teaser teases iconic bathtub scene, but at a cost