CVE-2025-48095 is a Stored Cross-Site Scripting (XSS) vulnerability identified in Ays Pro Survey Maker, a web-based survey creation platform. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious scripts that are stored and later executed in the context of users viewing the affected pages. This issue affects versions up to and including 5.1.8.8. The CVSS 3.1 base score is 5.9 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), requiring user interaction (UI:R), and a scope change (S:C). The impact affects confidentiality, integrity, and availability at a low level. Exploitation requires an attacker to have high privileges, such as administrative access to the survey maker platform, and to trick a user into interacting with the malicious content. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged to execute arbitrary JavaScript in the context of users’ browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. The vulnerability is particularly concerning in environments where survey data is sensitive or where administrative privileges are widely distributed. The lack of available patches at the time of publication necessitates immediate attention to input validation and output encoding practices to mitigate risk.

For European organizations, the impact of this vulnerability can be significant, especially for entities relying on Ays Pro Survey Maker for collecting sensitive data such as personal information, customer feedback, or internal surveys. Exploitation could lead to unauthorized access to user sessions, data leakage, and manipulation of survey content, undermining data integrity and user trust. The requirement for high privileges to exploit limits the threat to insiders or attackers who have already compromised administrative accounts, but the potential damage remains substantial. Public sector organizations, educational institutions, and enterprises using this software may face reputational damage and regulatory consequences under GDPR if personal data is exposed. Additionally, the vulnerability could serve as a foothold for further attacks within the network, impacting availability and operational continuity.

Organizations should immediately audit their use of Ays Pro Survey Maker and restrict administrative access to trusted personnel only. Implement strict input validation and output encoding on all user-supplied data fields within the survey platform to prevent script injection. Monitor logs for unusual administrative activities or unexpected survey content changes. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources. Once the vendor releases a patch, prioritize its deployment across all affected systems. Additionally, conduct security awareness training for administrators to recognize phishing or social engineering attempts that could facilitate exploitation. Consider isolating the survey platform within a segmented network zone to limit lateral movement in case of compromise. Regularly back up survey data to enable recovery from potential defacement or data corruption.