CVE-2026-2440
SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting
CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context.
| CWE | CWE-79 |
| Vendor | devsoftbaltic |
| Product | surveyjs: drag & drop form builder |
| Published | Mar 21, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for devsoftbaltic surveyjs: drag & drop form builder
Be the first to know when new high vulnerabilities affecting devsoftbaltic surveyjs: drag & drop form builder are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
devsoftbaltic / SurveyJS: Drag & Drop Form Builder
0 โค 2.5.3
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/08264ef7-940f-46b6-9880-34d730adad3c?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/surveyjs/tags/2.5.2/ajax_handlers/save_result.php#L15 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/surveyjs/tags/2.5.2/views/results.php#L116
Credits
Daniel Basta