CVE-2025-10042: 
WordPress vulnerability analysis and mitigation

The Quiz Maker plugin for WordPress is vulnerable to SQL Injection via spoofed IP headers in versions up to and including 6.7.0.56. This vulnerability was discovered and reported on September 17, 2025. The issue affects the Quiz Maker WordPress plugin and has been assigned CVE-2025-10042 (NVD).

The vulnerability exists due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. The issue specifically occurs when processing IP headers in configurations where the server retrieves IP addresses from user-supplied fields like X-Forwarded-For and IP limiting is enabled. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.9 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

When exploited, this vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to unauthorized access to sensitive information stored in the database (NVD).

Users should upgrade to version 6.7.0.57 or later which contains the fix for this vulnerability. The issue has been patched in the updated version as evidenced by the code changes (WordPress Plugin).