The SurveyFunnel – Survey Plugin for WordPress suffers from a stored cross-site scripting vulnerability identified as CVE-2025-12417. This vulnerability is due to insufficient sanitization and escaping of user input in the 'surveyfunnel_lite_survey' shortcode, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into survey pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability affects all versions up to and including 1.1.5. The attack vector is remote over the network, with low complexity and no need for user interaction, but requires authenticated access with contributor or higher privileges. The scope is changed as the vulnerability affects multiple users who view the injected content. The CVSS 3.1 base score is 6.4, indicating a medium severity level with partial confidentiality and integrity impacts but no availability impact. No patches are currently linked, and no exploits are known in the wild, but the vulnerability poses a significant risk in environments where the plugin is installed and contributor-level access is granted to potentially untrusted users.

This vulnerability can lead to unauthorized script execution in the context of the affected WordPress site, compromising the confidentiality and integrity of user sessions and data. Attackers with contributor-level access can inject malicious payloads that execute for any user viewing the infected page, potentially enabling session hijacking, defacement, or unauthorized administrative actions if combined with other vulnerabilities. The impact is particularly severe in multi-user WordPress environments such as community sites, membership platforms, or corporate blogs where contributors may not be fully trusted. While availability is not directly affected, the reputational damage and potential data breaches resulting from successful exploitation can be significant. Organizations relying on this plugin without proper access controls or input validation are at risk of persistent XSS attacks that can be leveraged for further compromise or phishing campaigns targeting site users.

1. Immediately restrict contributor-level and higher permissions to trusted users only until a patch is available. 2. Implement strict input validation and output escaping for all user-supplied data in the 'surveyfunnel_lite_survey' shortcode, ideally by updating to a patched plugin version once released. 3. Use Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this plugin. 4. Conduct regular security audits of user-generated content and shortcodes to identify and remove injected scripts. 5. Educate site administrators and contributors about the risks of XSS and the importance of cautious content input. 6. Monitor logs for suspicious activity indicative of exploitation attempts. 7. Consider disabling or replacing the SurveyFunnel plugin if immediate patching is not feasible. 8. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting allowed script sources.