What the vulnerability does
01Description
WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.
CVSS base score
6.1/10
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Survey Maker versions 5.1.7.7 and prior contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into survey pages. An attacker can craft a malicious link or embed code that executes in a victim's browser when they view the affected survey. The vulnerability affects the site's integrity and can compromise user data or session tokens.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in visitors' browsers when they view a survey.
Potential impact on your site
04Site Impact
Attackers can steal visitor session tokens, redirect users, or deface survey content without needing site admin access.
Conditions required to exploit
05Prerequisites
Victim must click a malicious link or visit a page containing the attacker's payload.
Key dates
06Disclosure timeline
February 20, 2026
CVE published
February 20, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-3633 IBM Cognos Analytics is affected by multiple security vulnerabilities
CVE-2026-1931 Rent Fetch <= 0.32.4 - Unauthenticated Stored Cross-Site Scripting via 'keyword' Parameter
CVE-2024-12818 WP Smart TV <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-5611 Stratum – Elementor Widgets <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
CVE-2025-8071 Mine CloudVod <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via audio Parameter
