Cyber Resilience

CVE-2026-2440

High

Published: 21 March 2026

Published
21 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0011 29.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2440 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-2440 is a stored cross-site scripting (XSS) vulnerability in the SurveyJS plugin for WordPress, affecting all versions up to and including 2.5.3. The flaw stems from insufficient input sanitization and output escaping during survey result submissions, as documented in the CVE description published on 2026-03-21. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-79 (Cross-Site Scripting).

Unauthenticated attackers can exploit the vulnerability by submitting HTML-encoded payloads through the public survey page, which exposes the nonce required for submission. These payloads are then decoded and rendered as executable HTML when an administrator views the survey results, enabling stored XSS execution in the admin context.

Advisories and code analysis are available via the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/08264ef7-940f-46b6-9880-34d730adad3c?source=cve, along with specific code references in the WordPress plugin trac repository: https://plugins.trac.wordpress.org/browser/surveyjs/tags/2.5.2/ajax_handlers/save_result.php#L15 and https://plugins.trac.wordpress.org/browser/surveyjs/tags/2.5.2/views/results.php#L116.

EU & UK References

Vulnerability details

The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce…

more

required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting public app for initial access via unsanitized survey submissions) and T1059.007 (arbitrary JavaScript execution in admin context when results are viewed).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses the insufficient input sanitization by requiring validation of survey result submissions to block malicious HTML-encoded XSS payloads.

prevent

SI-15 mitigates the lack of output escaping by filtering survey results when rendered in the admin context, preventing XSS execution.

prevent

SI-2 ensures flaw remediation through patching the SurveyJS plugin vulnerability in versions up to 2.5.3.

References