CVE-2021-26256: 
WordPress vulnerability analysis and mitigation

An Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability was discovered in Survey Maker WordPress plugin versions 2.0.6 and below. The vulnerability was disclosed on December 3, 2021, and was assigned CVE-2021-26256. The issue affects the Survey Maker plugin developed by ays-pro for WordPress installations (Patchstack, WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (Medium) according to NVD, and 4.7 (Medium) according to Patchstack. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it can be exploited remotely without authentication but requires user interaction (NVD).

This vulnerability could allow malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The impact includes potential compromise of confidentiality and integrity at a low level (Patchstack).

The vulnerability was patched in version 2.0.7 of the Survey Maker plugin. Users are advised to update to version 2.0.7 or later to remove the vulnerability (Patchstack).