Description
WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.
Published: 2026-02-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting leading to arbitrary script execution in a user’s browser
Action: Update Plugin
AI Analysis

Impact

WordPress Plugin "Survey Maker" versions 5.1.7.7 and older harbour a Cross‑Site Scripting flaw that allows an attacker to inject and run arbitrary JavaScript when users view the survey. The vulnerability enables execution of malicious code, which can harvest cookies, hijack sessions, or perform other client‑side attacks against the visitor. A likely attack vector is a crafted survey URL or form field that delivers unsanitized user input to the browser, but this is inferred from the nature of the flaw and not explicitly stated in the description.

Affected Systems

The affected system is the Survey Maker plugin developed by Ays Pro for WordPress. Versions 5.1.7.7 and any earlier releases are vulnerable and should be avoided until a patch is applied.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. The EPSS score of less than one percent implies that exploitation is expected to be rare, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because it enables arbitrary script execution, a malicious actor who can lure a user to the vulnerable survey can gain client‑side compromise. No vendor‑provided fix is listed, so the vulnerability remains exploitable until the plugin is updated.

Generated by OpenCVE AI on April 17, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Survey Maker to the latest patched version or apply a vendor‑provided patch if one is released
  • If an update is not immediately available, disable or remove the Survey Maker plugin from the site to eliminate the attack surface
  • Implement strict output‑encoding and a Content Security Policy to limit the impact of any residual injection attempts

Generated by OpenCVE AI on April 17, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in WordPress Survey Maker Plugin

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro survey Maker
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro survey Maker
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 6.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ays-pro Survey Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-20T13:54:24.585Z

Reserved: 2026-02-16T00:13:00.474Z

Link: CVE-2026-26370

cve-icon Vulnrichment

Updated: 2026-02-20T13:54:09.340Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T08:17:03.087

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses