Is WordPress affected by CVE-2026-2440?

WordPress sites using the SurveyJS plugin (versions up to 2.5.3) are vulnerable to stored cross-site scripting attacks that can compromise administrator accounts and sensitive data.

CVE-2026-2440

EUVD-2026-14014 HIGH

2026-03-21 Wordfence

GHSA-v39q-6w5w-5842

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 21, 2026 - 04:00 euvd

EUVD-2026-14014

Analysis Generated

Mar 21, 2026 - 04:00 vuln.today

CVE Published

Mar 21, 2026 - 03:26 nvd

HIGH 7.2

Description

The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context.

Analysis

The SurveyJS WordPress plugin contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to and including 2.5.3. Unauthenticated attackers can submit malicious HTML-encoded payloads through public survey forms that execute when administrators view survey results in the WordPress admin dashboard. …

Remediation

Within 24 hours: Audit all WordPress installations for SurveyJS plugin presence and version; disable the plugin immediately if installed. Within 7 days: Implement Web Application Firewall (WAF) rules to block malicious payloads in survey submissions; review admin access logs for suspicious activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

CVE-2026-2440 vulnerability details – vuln.today

Back

CVE-2026-2440

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-2440

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code