cbcvebase.
CVE-2026-2440
published 2026-03-21

CVE-2026-2440: The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This…

PriorityP342high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EPSS
0.28%
19.9th percentile
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context.

Affected

1 ranges
VendorProductVersion rangeFixed in
devsoftbalticsurveyjs_drag_drop_form_builder<= 2.5.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.