CVE-2025-6739: 
WordPress vulnerability analysis and mitigation

The WPQuiz plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-6739) discovered in all versions up to and including 0.4.2. The vulnerability exists in the 'id' attribute of the 'wpquiz' shortcode due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation (NVD).

The vulnerability is classified as SQL Injection (CWE-89) and has received a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The issue stems from improper neutralization of special elements in SQL commands, allowing authenticated users with Contributor-level access or higher to append additional SQL queries to existing database queries (NVD).

The vulnerability allows authenticated attackers with Contributor-level privileges or higher to extract sensitive information from the database through SQL injection attacks. This could potentially lead to unauthorized access to sensitive data stored in the WordPress database (NVD).

As of July 1, 2025, the WPQuiz plugin has been temporarily closed and is not available for download pending a full security review (WordPress). Users are advised to remove the plugin until a patched version becomes available.