Executive Summary

The SurveyJS plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (XSS) attack in all versions up to and including 2.5.3. This vulnerability arises because the plugin does not properly sanitize input or escape output when handling survey result submissions.

Specifically, the public survey page exposes a nonce required for submission, which allows unauthenticated attackers to submit HTML-encoded payloads. These payloads are then decoded and rendered as executable HTML when an administrator views the survey results in the WordPress admin interface, leading to stored XSS in the admin context.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute malicious scripts in the context of the WordPress administrator's browser when they view survey results. Because the XSS is stored, the malicious code persists and can affect multiple admin users.

Potential impacts include theft of administrator session cookies, unauthorized actions performed with administrator privileges, defacement of the admin interface, or installation of malware. Since the attacker can submit payloads without authentication, the risk is elevated.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves stored Cross-Site Scripting (XSS) in the SurveyJS WordPress plugin via survey result submissions. Detection involves identifying if your system is running a vulnerable version (up to and including 2.5.3) of the SurveyJS plugin and monitoring for suspicious survey result submissions containing HTML-encoded payloads.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is exploited by submitting malicious HTML payloads through the survey result submission AJAX endpoint, you can detect attempts by monitoring HTTP POST requests to the AJAX handler URL (e.g., the endpoint handling survey result submissions).'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Using web server logs, search for POST requests to the survey result submission endpoint (e.g., URLs containing 'save_result.php' or AJAX actions related to 'surveyjs-save-result'). For example, on a Linux server:"}, {'type': 'list_item', 'content': "grep -i 'POST.*save_result.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'surveyjs-save-result' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Look for suspicious payloads containing HTML tags or encoded HTML entities in the POST data, which may indicate attempts to inject scripts.'}, {'type': 'list_item', 'content': "If you have access to the WordPress database, query the survey results table (usually named with a prefix plus 'sjs_results') to look for entries containing suspicious HTML or script tags in the stored JSON data."}, {'type': 'list_item', 'content': 'Example SQL query to find suspicious entries:'}, {'type': 'list_item', 'content': "SELECT * FROM wp_sjs_results WHERE Json LIKE '%<script%' OR Json LIKE '%&lt;script%';"}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update the SurveyJS WordPress plugin to a version later than 2.5.3 where the vulnerability is fixed.
• If an update is not immediately possible, restrict access to the survey result submission endpoint and the WordPress admin interface to trusted users only.
• Implement Web Application Firewall (WAF) rules to block or sanitize suspicious POST requests containing HTML or script tags targeting the survey result submission endpoint.
• Regularly audit and sanitize existing survey results stored in the database to remove any malicious scripts.
• Ensure that WordPress nonces and other security mechanisms are properly enforced and monitored.

Useful 0 Not Useful 0