Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network XSS requiring victim interaction (UI:R); injected script escapes plugin scope (S:C) with limited but real confidentiality/integrity/availability impact via session hijacking.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Survey Maker <= 5.2.2.5 versions.
AnalysisAI
Stored/reflected cross-site scripting in the Survey Maker WordPress plugin (versions 5.2.2.5 and earlier by AYS Pro) lets unauthenticated remote attackers inject JavaScript that executes in a victim's browser after they interact with a crafted page or survey. The CVSS scope-change flag (S:C) indicates the injected script escapes the plugin's context to affect the wider WordPress site, potentially reaching authenticated admin sessions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim to interact with attacker-controlled content - per CVSS UI:R, the target must load a crafted link, submit through or view a malicious survey, or render a page containing the injected payload; the attack does not fire autonomously. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) describes network-reachable, low-complexity exploitation with no privileges required, but it hinges on user interaction (UI:R) - a victim must load the malicious content, which is the standard limiter for XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or survey input containing a malicious JavaScript payload and lures a site visitor or administrator into loading it (UI:R). When the unescaped input is rendered, the script runs in the victim's browser session; if the victim is a logged-in administrator, the attacker can hijack the session, create rogue admin accounts, or inject site-wide content. … |
| Remediation | No vendor-released patch version was identified in the provided data - the input only defines the vulnerable range (<= 5.2.2.5), so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/survey-maker/vulnerability/wordpress-survey-maker-plugin-5-2-2-5-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for a release newer than 5.2.2.5 and upgrade to it as soon as one is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations to identify Survey Maker plugin presence and current version. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Survey Maker
View allThe Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the '
The get_results() and get_items() functions in the Survey Maker WordPress plugin before 1.5.6 did not use whitelist or v
The "Survey Maker - Best WordPress Survey Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via
The Survey Maker WordPress plugin before 3.4.7 does not escape some parameters before outputting them back in attributes
The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Survey Maker team
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Survey Maker team
The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Survey fields in all versions up
The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ays_sections[5][questions][8
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41360
GHSA-r9g6-2f8j-qw6x