CVE-2026-2440

Name of the Vulnerable Software and Affected Versions SurveyJS plugin for WordPress versions through 2.5.3

Description The software is susceptible to Stored Cross-Site Scripting through survey result submissions. Insufficient input sanitization and output escaping allow attackers to inject HTML-encoded payloads. The nonce required for submission is exposed on the public survey page, enabling unauthenticated attackers to submit malicious content. When an administrator views survey results, the injected payload is decoded and executed as HTML, resulting in stored XSS within the admin context.

Recommendations Update the SurveyJS plugin to a version later than 2.5.3.