Atomic Edge analysis of CVE-2026-2440 (metadata-based):
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the SurveyJS Drag & Drop Form Builder WordPress plugin, affecting versions up to and including 2.5.3. The vulnerability resides in the plugin’s survey result submission mechanism. Attackers can inject malicious scripts that execute in the WordPress administrator dashboard when viewing survey results. The CVSS 3.1 score of 7.2 (High) reflects its network-based attack vector, low attack complexity, and scope change impact.

Atomic Edge research infers the root cause is a failure to properly sanitize user input and escape output in the context of survey result submissions. The vulnerability description explicitly cites insufficient input sanitization and output escaping. A nonce required for submission is exposed on the public survey page, allowing unauthenticated actors to craft valid requests. The plugin likely accepts HTML-encoded payloads via a POST parameter, stores them in the database, and later decodes and renders them as raw HTML without escaping in the admin panel. These conclusions are inferred from the CWE-79 classification and the public description, as no source code diff is available for confirmation.

Exploitation involves two stages. First, an attacker visits a public survey page created with the plugin to extract a valid nonce value. The attacker then crafts an HTTP POST request to the plugin’s survey submission endpoint, likely `/wp-admin/admin-ajax.php` with an action parameter like `surveyjs_submit_survey`. The payload is an HTML-encoded XSS string (e.g., `alert(document.domain)` encoded as `<script>alert(document.domain)</script>`) submitted within a survey answer parameter. When an administrator later views the collected survey results in `/wp-admin/`, the stored payload is decoded and executed as JavaScript in the admin context.

Remediation requires implementing proper security controls at both the input and output layers. The plugin must validate and sanitize all user-supplied survey data before storage, using functions like `sanitize_text_field` or `wp_kses`. Crucially, any data retrieved from the database and displayed in the admin interface must be escaped on output with functions like `esc_html` or `esc_js`. The nonce should also be validated to ensure it is used only for its intended purpose and context. These measures align with WordPress coding standards for preventing XSS.

The impact of successful exploitation is significant due to the scope change from an unauthenticated public context to the privileged admin context. An attacker can execute arbitrary JavaScript in the administrator’s browser session. This can lead to session hijacking, creation of new administrative accounts, injection of backdoor plugins, site defacement, or data theft from the admin area. The attack is stored, meaning a single malicious submission can compromise every administrator who views the survey results.