Platform
wordpress
Component
surveyjs
Fixed in
1.10.0
2.5.4
2.5.4
CVE-2026-2440 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the SurveyJS plugin for WordPress versions up to and including 2.5.3. An attacker can inject malicious HTML-encoded payloads through survey result submissions, which are then rendered as executable HTML when an administrator views survey results. This vulnerability allows for stored XSS in the admin context, potentially leading to account compromise and further malicious activity.
This XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of an administrator's browser session. Successful exploitation could lead to session hijacking, credential theft, defacement of the WordPress site, or redirection to malicious websites. The stored nature of the vulnerability means that the malicious payload persists in the database, potentially affecting multiple administrators over time. The ability to execute code in the admin context significantly expands the attack surface, allowing for deeper compromise of the WordPress installation.
CVE-2026-2440 was publicly disclosed on 2026-03-20. While no public exploits have been confirmed, the ease of exploitation and the potential impact make it a high-priority vulnerability. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on administrator access for impact means exploitation is likely targeted and less widespread than vulnerabilities affecting public-facing endpoints.
Exploit Status
EPSS
0.07% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2440 is to upgrade the SurveyJS plugin for WordPress to a version greater than 2.5.3, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing strict input validation and output encoding on the survey submission form. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review survey results for any suspicious HTML content.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2440 is a Stored Cross-Site Scripting (XSS) vulnerability in the SurveyJS plugin for WordPress versions up to 2.5.3, allowing attackers to inject malicious code via survey submissions.
If you are using SurveyJS Drag & Drop Form Builder version 2.5.3 or earlier on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the SurveyJS plugin for WordPress to a version greater than 2.5.3. Consider implementing input validation and WAF rules as temporary mitigations.
While no confirmed active exploitation has been reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the SurveyJS security advisories on their official website for the latest information and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.