प्लेटफ़ॉर्म
wordpress
घटक
surveyjs
में ठीक किया गया
1.10.0
2.5.4
2.5.4
CVE-2026-2440 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the SurveyJS plugin for WordPress versions up to and including 2.5.3. An attacker can inject malicious HTML-encoded payloads through survey result submissions, which are then rendered as executable HTML when an administrator views survey results. This vulnerability allows for stored XSS in the admin context, potentially leading to account compromise and further malicious activity.
This XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of an administrator's browser session. Successful exploitation could lead to session hijacking, credential theft, defacement of the WordPress site, or redirection to malicious websites. The stored nature of the vulnerability means that the malicious payload persists in the database, potentially affecting multiple administrators over time. The ability to execute code in the admin context significantly expands the attack surface, allowing for deeper compromise of the WordPress installation.
CVE-2026-2440 was publicly disclosed on 2026-03-20. While no public exploits have been confirmed, the ease of exploitation and the potential impact make it a high-priority vulnerability. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on administrator access for impact means exploitation is likely targeted and less widespread than vulnerabilities affecting public-facing endpoints.
WordPress websites utilizing the SurveyJS Drag & Drop Form Builder plugin, particularly those with multiple administrators or those handling sensitive survey data, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider may also be vulnerable if they have not applied the necessary patch.
• wordpress / composer / npm:
grep -r 'surveyResult.html' /var/www/html/wp-content/plugins/surveyjs• generic web:
curl -I https://your-wordpress-site.com/survey/result?id=1 | grep Content-Type• wordpress / composer / npm:
wp plugin list --status=active | grep surveyjsdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.07% (23% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-2440 is to upgrade the SurveyJS plugin for WordPress to a version greater than 2.5.3, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing strict input validation and output encoding on the survey submission form. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review survey results for any suspicious HTML content.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-2440 is a Stored Cross-Site Scripting (XSS) vulnerability in the SurveyJS plugin for WordPress versions up to 2.5.3, allowing attackers to inject malicious code via survey submissions.
If you are using SurveyJS Drag & Drop Form Builder version 2.5.3 or earlier on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the SurveyJS plugin for WordPress to a version greater than 2.5.3. Consider implementing input validation and WAF rules as temporary mitigations.
While no confirmed active exploitation has been reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the SurveyJS security advisories on their official website for the latest information and updates regarding this vulnerability.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।