SurveyJS plugin for WordPress allows hackers to inject malicious code into admin panels

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

SurveyJS plugin for WordPress allows hackers to inject malicious code into admin panels

CVE-2026-2440

Summary

The SurveyJS plugin for WordPress is vulnerable to a security risk where hackers can inject malicious code into the admin panel when survey results are viewed. This can happen when an attacker submits a specially crafted survey answer. To protect your site, update the SurveyJS plugin to the latest version or remove it if you don't use it.

Original title

Original description

The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context.

nvd CVSS3.1 7.2

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026