CVE-2025-22664: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Survey Maker WordPress plugin, identified as CVE-2025-22664. The vulnerability affects Survey Maker versions up to 5.1.3.5 and was discovered by security researcher astra.r3verii on January 27, 2025, with public disclosure on February 3, 2025. The vulnerability allows authenticated users with administrator privileges to inject malicious scripts into survey questions (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, high privileges, and user interaction, with potential impacts on confidentiality, integrity, and availability all rated as low (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered low severity due to the high privilege requirement for exploitation (Patchstack).

The vulnerability has been patched in Survey Maker version 5.1.3.6. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).