Description
The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing authenticated contributors to inject scripts into survey pages
Action: Patch Update
AI Analysis

Impact

The vulnerability manifests as a stored XSS flaw caused by insufficient sanitization and escaping of user‑supplied attributes in the 'questionpro' shortcode. When an authenticated user with Contributor or higher privileges embeds malicious code via these attributes, the code is saved to the database and executed whenever any user visits the injected survey page. This flaw directly exploits CWE‑79 and can lead to session hijacking, defacement, or theft of sensitive data from end users who load the affected page.

Affected Systems

All installations of the QuestionPro Surveys WordPress plugin up to and including version 1.0. The affected component is the plugin’s handling of shortcode attributes within the WordPress environment.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% reflects a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. An attacker must first obtain Contributor‑level or higher access to a site running the vulnerable plugin, after which they can inject persistent malicious script via the shortcode attributes. If successful, the code will execute in the browsers of any visitor to the affected survey page, potentially exposing credentials, session cookies, or other confidential information. The attack surface is constrained to sites that have deployed the vulnerable plugin version and allowed contributors to edit shortcodes.

Generated by OpenCVE AI on April 15, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the QuestionPro Surveys plugin to the latest version released after 1.0, which addresses the XSS issue.
  • If an immediate upgrade is not possible, restrict Contributor role capabilities or temporarily revoke the ability for contributors to edit or create surveys containing the 'questionpro' shortcode.
  • Implement a content security policy that restricts script execution and blocks inline scripts on the survey pages.
  • Apply a site‑wide input sanitization layer or WordPress security plugin that automatically escapes shortcode attributes before storage.

Generated by OpenCVE AI on April 15, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Questionpro
Questionpro questionpro Surveys
Wordpress
Wordpress wordpress
Vendors & Products Questionpro
Questionpro questionpro Surveys
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Questionpro Questionpro Surveys
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:01.608Z

Reserved: 2026-02-04T14:49:31.230Z

Link: CVE-2026-1901

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:49.392Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:11.113

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses