CVE-2026-2440 is a stored Cross-Site Scripting vulnerability classified under CWE-79 affecting the SurveyJS Drag & Drop Form Builder WordPress plugin developed by devsoftbaltic. The vulnerability exists in all versions up to and including 2.5.3 due to insufficient sanitization and escaping of user-submitted survey results. The public survey page exposes a nonce token required for submission, which can be leveraged by unauthenticated attackers to submit HTML-encoded payloads. These payloads are stored in the survey results and later decoded and rendered as executable HTML/JavaScript in the administrator's browser context when viewing survey results. This stored XSS in the admin context can lead to session hijacking, privilege escalation, or other malicious actions performed with administrator privileges. The vulnerability does not require authentication or user interaction, increasing its exploitability. The CVSS v3.1 base score is 7.2 (High), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change with partial confidentiality and integrity impact but no availability impact. No official patches or exploit code are currently publicly available, but the risk remains significant given the plugin's use in WordPress environments.

The impact of CVE-2026-2440 is substantial for organizations using the vulnerable SurveyJS plugin on WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the administrator's browser, potentially leading to theft of admin session cookies, unauthorized administrative actions, defacement, or deployment of further malware. Since the attack vector is unauthenticated and remote, attackers can target any public-facing survey page. The compromise of administrator accounts can lead to full site takeover, data breaches, and disruption of business operations. Organizations relying on SurveyJS for data collection or customer feedback risk exposure of sensitive information and loss of trust. The vulnerability's presence in a widely used CMS plugin increases the attack surface for web applications globally, especially those with high administrative privileges and sensitive data.

To mitigate CVE-2026-2440, organizations should immediately upgrade the SurveyJS plugin to a version where this vulnerability is fixed once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on survey result submissions to neutralize malicious HTML/JavaScript. Restrict access to survey result pages to trusted administrators only and consider additional web application firewall (WAF) rules to detect and block suspicious payloads targeting the survey submission endpoints. Employ Content Security Policy (CSP) headers to limit script execution contexts and reduce XSS impact. Regularly audit and sanitize stored survey data to remove any injected scripts. Monitoring logs for unusual survey submissions and administrator session anomalies can help detect exploitation attempts early. Finally, educate administrators on the risks of clicking untrusted links or viewing unverified survey results.