Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through <= 2.0.2.0.1.
Published: 2025-04-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input allows malicious scripts to run in the victim’s browser, enabling session hijacking, credential theft, defacement, or other client‑side attacks. The flaw is a classic XSS vulnerability described by CWE‑79 and carries a CVSS score of 7.1, indicating a high impact on confidentiality, integrity, and availability of the website visitor. The description specifies that the vulnerability exists in all versions of the Modal Survey plugin up to and including 2.0.2.0.1.

Affected Systems

The vulnerability affects the Pantherius Modal Survey WordPress plugin, any installation of the plugin with a version of 2.0.2.0.1 or earlier. The plugin is deployed on WordPress sites running the Modal Survey add‑on.

Risk and Exploitability

The CVSS score of 7.1 and an EPSS score below 1% indicate that while exploitation potential is significant, realistic attack likelihood is low. The plugin does not appear in the CISA KEV catalog, suggesting no known active exploitation. An attacker would need to craft a payload that is reflected or stored in the survey fields and entice a user to view the page. The attack vector is inferred to be remote, through the web interface, and would exploit client‑side input without proper escaping. The absence of an official fix means risk mitigation relies on updating the plugin or manually sanitizing input.

Generated by OpenCVE AI on April 30, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Modal Survey plugin to a version newer than 2.0.2.0.1.
  • If an upgrade is unavailable, configure the plugin or your site to strip or encode any user‑supplied input before rendering it, ensuring that script tags or event handlers cannot be executed.
  • Disable or remove the plugin until a patched version is available.

Generated by OpenCVE AI on April 30, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11853 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantherius Modal Survey allows Reflected XSS.This issue affects Modal Survey: from n/a through 2.0.2.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantherius Modal Survey allows Reflected XSS.This issue affects Modal Survey: from n/a through 2.0.2.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through <= 2.0.2.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 18 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Apr 2025 04:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantherius Modal Survey allows Reflected XSS.This issue affects Modal Survey: from n/a through 2.0.2.0.1.
Title WordPress Modal Survey plugin <= 2.0.2.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.191Z

Reserved: 2025-04-16T06:23:43.557Z

Link: CVE-2025-39469

cve-icon Vulnrichment

Updated: 2025-04-18T11:48:07.906Z

cve-icon NVD

Status : Deferred

Published: 2025-04-18T05:15:33.633

Modified: 2026-04-23T15:29:37.340

Link: CVE-2025-39469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:45:26Z

Weaknesses