Plattform
wordpress
Komponente
surveyjs
Behoben in
1.10.0
2.5.4
2.5.4
CVE-2026-2440 describes a Stored Cross-Site Scripting (XSS) vulnerability within the SurveyJS plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious HTML-encoded payloads through survey result submissions. When an administrator views these survey results, the decoded HTML is rendered as executable JavaScript, potentially compromising the administrator's session. This vulnerability impacts versions of the SurveyJS plugin up to and including 2.5.3.
The primary impact of CVE-2026-2440 is the potential for stored XSS in the WordPress administrator's context. A successful exploit allows an attacker to execute arbitrary JavaScript code within the administrator's browser session. This can lead to account takeover, data theft (including sensitive user information stored within WordPress), defacement of the website, or redirection to malicious sites. The vulnerability's reliance on administrator interaction to trigger the XSS elevates the risk, as it requires the administrator to view the manipulated survey results. The public exposure of the nonce required for submission simplifies the attack process, making it accessible to a wider range of attackers.
CVE-2026-2440 was publicly disclosed on 2026-03-20. No public proof-of-concept (PoC) code is currently known. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Given the relatively straightforward nature of XSS exploitation and the public disclosure, it is reasonable to expect that attackers may begin actively targeting vulnerable installations.
WordPress websites utilizing the SurveyJS Drag & Drop Form Builder plugin, particularly those with multiple administrators or those handling sensitive survey data, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider may also be vulnerable if they have not applied the necessary patch.
• wordpress / composer / npm:
grep -r 'surveyResult.html' /var/www/html/wp-content/plugins/surveyjs• generic web:
curl -I https://your-wordpress-site.com/survey/result?id=1 | grep Content-Type• wordpress / composer / npm:
wp plugin list --status=active | grep surveyjsdisclosure
Exploit-Status
EPSS
0.07% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2440 is to upgrade the SurveyJS plugin for WordPress to a version patched against this vulnerability. Unfortunately, a fixed version is not specified in the provided data. As a temporary workaround, administrators should carefully review all survey submissions before viewing the results, looking for suspicious HTML content. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious HTML payloads in survey submissions. Regularly scan the WordPress installation for vulnerable plugins using security scanning tools.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle im Detail und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2440 is a Stored Cross-Site Scripting (XSS) vulnerability in the SurveyJS plugin for WordPress versions up to 2.5.3, allowing attackers to inject malicious code via survey submissions.
If you are using SurveyJS Drag & Drop Form Builder version 2.5.3 or earlier on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the SurveyJS plugin for WordPress to a version greater than 2.5.3. Consider implementing input validation and WAF rules as temporary mitigations.
While no confirmed active exploitation has been reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the SurveyJS security advisories on their official website for the latest information and updates regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.