Description
Missing Authorization vulnerability in Ays Pro Survey Maker survey-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through <= 5.1.9.4.
Published: 2025-11-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to execute actions normally restricted to privileged users. It is caused by incorrectly configured access control security levels, meaning that users without the required role can exploit protected endpoints, potentially leading to data exposure or manipulation. The weakness is identified as CWE-862, a classic authority bypass.

Affected Systems

WordPress sites using the Ays Pro Survey Maker plugin, versions 5.1.9.4 and earlier. No other plugins or versions are affected according to the CNA information.

Risk and Exploitability

The CVSS base score of 6.5 indicates high potential impact, but the EPSS score is less than 1%, implying low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited active exploitation. The likely attack vector involves a web request made by a logged‑in user, but the flaw could also be triggered by an unauthenticated user if the plugin’s endpoints are publicly accessible. An attacker could modify survey settings, access private survey data, or use the survey functionality to gather credentials.

Generated by OpenCVE AI on April 29, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Survey Maker plugin to the latest released version (i.e., any version newer than 5.1.9.4) to apply vendor‑supplied fix for the access control issue.
  • If an immediate upgrade is not possible, temporarily disable or remove the Survey Maker plugin until the patch is applied.
  • Configure WordPress role permissions to restrict access to plugin pages, ensuring only Administrators or designated roles can manage surveys, thereby mitigating potential abuse of the access control flaw.

Generated by OpenCVE AI on April 29, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 17 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro survey Maker
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro survey Maker
Wordpress
Wordpress wordpress

Thu, 13 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ays Pro Survey Maker survey-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through <= 5.1.9.4.
Title WordPress Survey Maker plugin <= 5.1.9.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Ays-pro Survey Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:29:22.429Z

Reserved: 2025-10-29T03:08:27.752Z

Link: CVE-2025-64276

cve-icon Vulnrichment

Updated: 2025-11-17T19:17:56.081Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T10:15:52.940

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:45:12Z

Weaknesses