WordPress Plugin Vulnerabilities

Survey Maker < 5.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
survey-maker
Fixed in 5.0.3

References

CVE
CVE-2024-50426
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b1043c80-e1fc-4264-8e51-218f89fdd162

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Marek Mikita
Verified
No
WPVDB ID
709b1ddd-b540-44a8-9719-c49238e34785

Timeline

Publicly Published
2024-10-24 (about 1 year ago)
Added
2024-10-31 (about 1 year ago)
Last Updated
2024-10-31 (about 1 year ago)

Other

Published
Title
Published
2025-01-16
Title
LH Email <= 1.12 - Reflected Cross-Site Scripting
Published
2024-05-29
Title
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX < 4.1.2 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2024-12-11
Title
Staggs Product Configurator for WooCommerce < 2.1.0 - Reflected Cross-Site Scripting
Published
2020-07-08
Title
Mailster Gravity Forms < 2.4.9 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2023-07-04
Title
Animated Number Counters < 1.7 - Editor+ Stored XSS