CVE-2025-30774: 
WordPress vulnerability analysis and mitigation

The WordPress Quiz Maker plugin contains an SQL Injection vulnerability (CVE-2025-30774) that affects versions up to and including 6.6.8.7. The vulnerability was discovered on March 12, 2025, and publicly disclosed on March 29, 2025. This security issue exists in the Ays Pro Quiz Maker component and allows unauthenticated attackers to perform SQL injection attacks (Patchstack).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries in the Quiz Maker plugin. This allows unauthenticated attackers to append additional SQL queries to existing ones, potentially extracting sensitive information from the database. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L and is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (WPScan).

The vulnerability allows malicious actors to directly interact with the website's database, potentially leading to unauthorized access to sensitive information. Due to its high severity rating and unauthenticated nature, this vulnerability is expected to become mass exploited (Patchstack).

Website administrators are strongly advised to update the Quiz Maker plugin to version 6.6.8.8 or later, which contains the fix for this vulnerability. For users of Patchstack, virtual patching is available to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).