CVE-2026-26370 is a cross-site scripting (XSS) vulnerability identified in the WordPress plugin 'Survey Maker' developed by Ays Pro, affecting versions 5.1.7.7 and prior. The vulnerability arises from insufficient input sanitization or output encoding within the plugin's code, allowing an attacker to inject malicious JavaScript code into survey content or other plugin-managed inputs. When a user views the compromised content, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability requires no authentication but does require user interaction, such as visiting a maliciously crafted survey page. The CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction needed, scope changed, and low impact on confidentiality and integrity, with no impact on availability. Although no known exploits are currently reported in the wild, the widespread use of WordPress and the popularity of survey plugins increase the risk of exploitation once a public exploit becomes available. The vulnerability was published on February 20, 2026, with no patch links currently provided, suggesting that users should monitor vendor updates closely.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity through the execution of arbitrary scripts in the victim's browser. Attackers could steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. This can lead to unauthorized access to sensitive information or manipulation of survey data. While availability is not affected, the trustworthiness of the affected websites and their data integrity can be undermined. Organizations relying on the Survey Maker plugin for customer feedback or data collection may face reputational damage and potential data breaches. The medium severity rating reflects the balance between the ease of exploitation (no authentication required) and the limited scope of impact (user interaction required and no direct system compromise).

Organizations should immediately audit their WordPress installations to identify the use of the Survey Maker plugin and verify the version in use. Until a patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. Implementing strict input validation and output encoding within the plugin's configuration or custom code can reduce the risk of XSS. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Additionally, educating users to avoid interacting with suspicious survey links and monitoring web application logs for unusual activity can aid in early detection. Once a vendor patch is available, prompt application of updates is critical. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the plugin can provide an additional layer of defense.