CVE-2025-22664 is a stored cross-site scripting (XSS) vulnerability identified in Ays Pro Survey Maker, a survey creation and management platform. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be embedded and stored within survey content. When other users or administrators access the affected survey pages, the malicious scripts execute in their browsers under the context of the vulnerable application. This can lead to a range of attacks including session hijacking, theft of sensitive information, defacement, or distribution of malware. The vulnerability affects all versions up to and including 5.1.3.5. No CVSS score has been assigned yet, and no patches or exploit code are currently publicly available. The flaw does not require authentication to exploit, and user interaction is limited to viewing the compromised survey page. The persistent nature of stored XSS increases the risk as the malicious payload remains active until removed. The vulnerability was reserved in early January 2025 and published in February 2025, indicating recent discovery. The lack of patch links suggests that fixes may still be pending or in development. Organizations using this product should be aware of the risk and prepare to implement patches or mitigations once available.

The primary impact of CVE-2025-22664 is on the confidentiality and integrity of data within organizations using Ays Pro Survey Maker. An attacker exploiting this vulnerability can execute arbitrary JavaScript in the context of the victim's browser, potentially stealing session cookies, credentials, or other sensitive data. This can lead to unauthorized access to administrative functions or user accounts. Additionally, attackers could manipulate survey data or redirect users to malicious sites, damaging organizational reputation and trust. The stored nature of the XSS means the malicious payload can affect multiple users over time, increasing the scope of impact. For organizations relying on Survey Maker for critical data collection, this vulnerability could disrupt operations and expose sensitive information. Although availability impact is limited, the broader consequences on data integrity and confidentiality are significant. The ease of exploitation without authentication or complex prerequisites increases the likelihood of targeted or opportunistic attacks.

Organizations should immediately review their use of Ays Pro Survey Maker and identify affected versions (<= 5.1.3.5). Until an official patch is released, implement input validation and output encoding on all user-supplied data fields within the survey application to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the survey pages. Regularly audit stored survey content for suspicious scripts or payloads and remove any identified malicious entries. Limit user privileges to reduce the risk of malicious input submissions, and monitor logs for unusual activity indicative of exploitation attempts. Educate users and administrators about the risks of clicking unknown survey links. Once a vendor patch is available, prioritize timely deployment. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the Survey Maker application. Maintain up-to-date backups of survey data to enable recovery if data integrity is compromised.