Improper neutralization of input during web page generation in the Ays Pro Survey Maker plugin allows attackers to embed malicious scripts that are later rendered by a victim’s browser. The stored XSS flaw can be used to execute arbitrary code, hijack sessions, or exfiltrate information from the user’s environment, as the vulnerability originates from insufficient sanitization of survey content that is stored and subsequently displayed to site visitors.

The problem affects the Ays Pro Survey Maker WordPress plugin in all releases up through and including version 5.1.8.8. No information is available indicating that later releases are vulnerable.

The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to exploit this flaw by creating or modifying survey entries that include malicious script content, which will then be served to any user who views the survey. Successful exploitation requires that an attacker can introduce data into the survey component and that a victim visits a page rendering that data.