CVE-2021-24221: 
WordPress vulnerability analysis and mitigation

The Quiz And Survey Master WordPress plugin (versions before 7.1.12) contained a SQL injection vulnerability identified as CVE-2021-24221. The vulnerability was discovered by Nguyen Van Khanh from SunCSR (Sun* Cyber Security Research) and was publicly disclosed on March 26, 2021. This security issue affected the plugin's handling of the resultid parameter in the [qsmresult] shortcode functionality (WPScan).

The vulnerability stems from improper sanitization of the resultid GET parameter on pages containing the [qsmresult] shortcode without an id attribute. The parameter was directly concatenated into SQL statements, leading to potential SQL injection. The issue received a CVSS v3.1 score of 8.8 (HIGH), indicating its serious nature (NVD).

The vulnerability could allow users with author-level privileges or higher to gain unauthorized access to the database management system (DBMS). More critically, if the shortcode without the id attribute was embedded on a public page or post, unauthenticated users could potentially exploit the SQL injection vulnerability (WPScan).

The vulnerability was patched in version 7.1.12 of the Quiz And Survey Master plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (WordPress Plugins).