{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26370", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-02-16T00:13:00.474Z", "datePublished": "2026-02-20T07:42:15.263Z", "dateUpdated": "2026-02-20T13:54:24.585Z"}, "containers": {"cna": {"affected": [{"vendor": "Ays Pro", "product": "Survey Maker", "versions": [{"version": "5.1.7.7 and prior", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "WordPress Plugin \"Survey Maker\" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser."}], "problemTypes": [{"descriptions": [{"description": "Cross-site scripting (XSS)", "lang": "en-US", "cweId": "CWE-79", "type": "CWE"}]}], "references": [{"url": "https://wordpress.org/plugins/survey-maker/"}, {"url": "https://jvn.jp/en/jp/JVN20049394/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-20T07:42:15.263Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T13:53:36.684086Z", "id": "CVE-2026-26370", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T13:54:24.585Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26370", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T13:53:36.684086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T13:54:09.340Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Ays Pro", "product": "Survey Maker", "versions": [{"status": "affected", "version": "5.1.7.7 and prior"}]}], "references": [{"url": "https://wordpress.org/plugins/survey-maker/"}, {"url": "https://jvn.jp/en/jp/JVN20049394/"}], "descriptions": [{"lang": "en", "value": "WordPress Plugin \"Survey Maker\" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site scripting (XSS)"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-20T07:42:15.263Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26370", "state": "PUBLISHED", "dateUpdated": "2026-02-20T13:54:24.585Z", "dateReserved": "2026-02-16T00:13:00.474Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-02-20T07:42:15.263Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WordPress Plugin \"Survey Maker\" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser."}, {"lang": "es", "value": "El plugin de WordPress 'Survey Maker' versiones 5.1.7.7 y anteriores contiene una vulnerabilidad de cross-site scripting. Si esta vulnerabilidad es explotada, un script arbitrario puede ser ejecutado en el navegador web del usuario."}], "id": "CVE-2026-26370", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-02-20T08:17:03.087", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN20049394/"}, {"source": "vultures@jpcert.or.jp", "url": "https://wordpress.org/plugins/survey-maker/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.1.7.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Survey Maker", "source": "cna", "vendor": "Ays Pro"}, "product": "survey_maker", "vendor": "ays-pro"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T17:29:29.299037+00:00", "value": {"mitigation_remediation": ["Update Survey Maker to the latest patched version or apply a vendor\u2011provided patch if one is released", "If an update is not immediately available, disable or remove the Survey Maker plugin from the site to eliminate the attack surface", "Implement strict output\u2011encoding and a Content Security Policy to limit the impact of any residual injection attempts"], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Scripting leading to arbitrary script execution in a user\u2019s browser"}, "threat_synthesis": {"affected_systems": "The affected system is the Survey Maker plugin developed by Ays Pro for WordPress. Versions 5.1.7.7 and any earlier releases are vulnerable and should be avoided until a patch is applied.", "description_and_impact": "WordPress Plugin \"Survey Maker\" versions 5.1.7.7 and older harbour a Cross\u2011Site Scripting flaw that allows an attacker to inject and run arbitrary JavaScript when users view the survey. The vulnerability enables execution of malicious code, which can harvest cookies, hijack sessions, or perform other client\u2011side attacks against the visitor. A likely attack vector is a crafted survey URL or form field that delivers unsanitized user input to the browser, but this is inferred from the nature of the flaw and not explicitly stated in the description.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a medium severity. The EPSS score of less than one percent implies that exploitation is expected to be rare, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because it enables arbitrary script execution, a malicious actor who can lure a user to the vulnerable survey can gain client\u2011side compromise. No vendor\u2011provided fix is listed, so the vulnerability remains exploitable until the plugin is updated."}}}}, "created": "2026-02-23T14:47:10.886118+00:00", "title": "Cross\u2011Site Scripting in WordPress Survey Maker Plugin", "updated": "2026-04-17T17:30:23.870008+00:00", "vendors": ["ays-pro", "ays-pro$PRODUCT$survey_maker", "wordpress", "wordpress$PRODUCT$wordpress"]}