CVE-2026-2440
Stored XSS in SurveyJS WordPress Plugin Allows Admin Context Execution
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| surveyjs | plugin | to 2.5.3 (inc) |
| surveyjs | surveyjs | to 2.5.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The SurveyJS plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (XSS) attack in all versions up to and including 2.5.3. This vulnerability arises because the plugin does not properly sanitize input or escape output when handling survey result submissions.
Specifically, the public survey page exposes a nonce required for submission, which allows unauthenticated attackers to submit HTML-encoded payloads. These payloads are then decoded and rendered as executable HTML when an administrator views the survey results in the WordPress admin interface, leading to stored XSS in the admin context.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious scripts in the context of the WordPress administrator's browser when they view survey results. Because the XSS is stored, the malicious code persists and can affect multiple admin users.
Potential impacts include theft of administrator session cookies, unauthorized actions performed with administrator privileges, defacement of the admin interface, or installation of malware. Since the attacker can submit payloads without authentication, the risk is elevated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves stored Cross-Site Scripting (XSS) in the SurveyJS WordPress plugin via survey result submissions. Detection involves identifying if your system is running a vulnerable version (up to and including 2.5.3) of the SurveyJS plugin and monitoring for suspicious survey result submissions containing HTML-encoded payloads.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is exploited by submitting malicious HTML payloads through the survey result submission AJAX endpoint, you can detect attempts by monitoring HTTP POST requests to the AJAX handler URL (e.g., the endpoint handling survey result submissions).'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Using web server logs, search for POST requests to the survey result submission endpoint (e.g., URLs containing 'save_result.php' or AJAX actions related to 'surveyjs-save-result'). For example, on a Linux server:"}, {'type': 'list_item', 'content': "grep -i 'POST.*save_result.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'surveyjs-save-result' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Look for suspicious payloads containing HTML tags or encoded HTML entities in the POST data, which may indicate attempts to inject scripts.'}, {'type': 'list_item', 'content': "If you have access to the WordPress database, query the survey results table (usually named with a prefix plus 'sjs_results') to look for entries containing suspicious HTML or script tags in the stored JSON data."}, {'type': 'list_item', 'content': 'Example SQL query to find suspicious entries:'}, {'type': 'list_item', 'content': "SELECT * FROM wp_sjs_results WHERE Json LIKE '%<script%' OR Json LIKE '%<script%';"}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the SurveyJS WordPress plugin to a version later than 2.5.3 where the vulnerability is fixed.
- If an update is not immediately possible, restrict access to the survey result submission endpoint and the WordPress admin interface to trusted users only.
- Implement Web Application Firewall (WAF) rules to block or sanitize suspicious POST requests containing HTML or script tags targeting the survey result submission endpoint.
- Regularly audit and sanitize existing survey results stored in the database to remove any malicious scripts.
- Ensure that WordPress nonces and other security mechanisms are properly enforced and monitored.