The vulnerability arises when the Survey Maker plugin stores user‑supplied content without properly escaping HTML or JavaScript, allowing an attacker to embed malicious scripts that are later rendered when the survey page is viewed. Because the payload is written to the database and then injected into the web page, any visitor who loads the affected survey will have the script executed in their browser. The weakness is identified as CWE‑79, and if exploited it can lead to the transfer of session cookies, defacement of the page, or redirection to malicious sites. The potential damage is contingent on what the attacker can achieve through the injected script, and it is reasonable to infer that credentials or session data could be exfiltrated, and that the integrity of the site could be compromised.

Any WordPress installation that includes the Ays Pro Survey Maker plugin with a version equal to or older than 5.1.3.5. The vulnerability covers all releases from the first component of the plugin through the identified upper bound, with no lower version constraint specified.

The CVSS score of 5.9 classifies the flaw as moderate risk, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need a victim to load a survey containing the malicious input, so user interaction is required. Because the injected scripts execute in the context of the viewer’s session, they can potentially steal credentials or deface the site, thereby impacting confidentiality and integrity.