CVE-2026-2440
Published: 21 March 2026
Summary
CVE-2026-2440 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-2440 is a stored cross-site scripting (XSS) vulnerability in the SurveyJS plugin for WordPress, affecting all versions up to and including 2.5.3. The flaw stems from insufficient input sanitization and output escaping during survey result submissions, as documented in the CVE description published on 2026-03-21. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-79 (Cross-Site Scripting).
Unauthenticated attackers can exploit the vulnerability by submitting HTML-encoded payloads through the public survey page, which exposes the nonce required for submission. These payloads are then decoded and rendered as executable HTML when an administrator views the survey results, enabling stored XSS execution in the admin context.
Advisories and code analysis are available via the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/08264ef7-940f-46b6-9880-34d730adad3c?source=cve, along with specific code references in the WordPress plugin trac repository: https://plugins.trac.wordpress.org/browser/surveyjs/tags/2.5.2/ajax_handlers/save_result.php#L15 and https://plugins.trac.wordpress.org/browser/surveyjs/tags/2.5.2/views/results.php#L116.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14014
Vulnerability details
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce…
more
required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting public app for initial access via unsanitized survey submissions) and T1059.007 (arbitrary JavaScript execution in admin context when results are viewed).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the insufficient input sanitization by requiring validation of survey result submissions to block malicious HTML-encoded XSS payloads.
SI-15 mitigates the lack of output escaping by filtering survey results when rendered in the admin context, preventing XSS execution.
SI-2 ensures flaw remediation through patching the SurveyJS plugin vulnerability in versions up to 2.5.3.