Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Likert Survey Master likert-survey-master allows Reflected XSS.This issue affects Likert Survey Master: from n/a through <= 0.8.0.1.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows attackers to inject malicious scripts that are reflected in the browser. Based on the description, it is inferred that an attacker can craft a request that includes JavaScript code, which will be executed in the context of any user who visits the survey page, and that because the code runs with the permissions of the victim's browser, the attacker can steal session cookies, deface the site, or perform unauthorized actions on behalf of the user.

Affected Systems

Bob Likert Survey Master, a WordPress plugin, is vulnerable in all releases from the first public version up to and including 0.8.0.1. Any WordPress site that has installed this plugin without updating to a newer release is impacted.

Risk and Exploitability

Based on the description, it is inferred that exploitation requires only a crafted URL or form input that is reflected back to the user, making it easy for a non‑privileged attacker to attack unsuspecting visitors who view a malicious link. The CVSS v3.1 score is 7.1, indicating a high potential for client‑side damage. The EPSS score is less than 1 %, suggesting that exploitation attempts are uncommon but still possible, and the vulnerability is not yet listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 30, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Likert Survey Master plugin to the latest version that contains the XSS fix.
  • If an immediate update is not feasible, remove or block all user‑controllable input that is reflected by the plugin or disable the plugin entirely.
  • Implement a restrictive Content Security Policy that disallows inline scripts and unsafe eval on the WordPress site.
  • Ensure that all input fields provided by the plugin are sanitized and escaped when rendered.

Generated by OpenCVE AI on April 30, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Likert Survey Master likert-survey-master allows Reflected XSS.This issue affects Likert Survey Master: from n/a through <= 0.8.0.1.
Title WordPress Likert Survey Master plugin <= 0.8.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:24.461Z

Reserved: 2025-06-30T10:46:02.700Z

Link: CVE-2025-53426

cve-icon Vulnrichment

Updated: 2025-10-23T13:52:59.399Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:50.993

Modified: 2026-04-27T18:16:22.107

Link: CVE-2025-53426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses