A vulnerability was found in expresstech Quiz and Survey Master Plugin up to 11.2.0 on WordPress and classified as critical. Affected is the function
qsm_ajax_save_pages of the component AJAX handler. The manipulation of the argument pages results in sql injection.
This vulnerability was named CVE-2026-13767. The attack may be performed from remote. There is no available exploit.