CVE-2025-3815: 
WordPress vulnerability analysis and mitigation

The SurveyJS plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-3815) discovered in all versions up to and including 1.12.32. The vulnerability was identified through the 'id' parameter due to insufficient input sanitization and output escaping. This security issue was disclosed on May 3, 2025, and received a CVSS v3.1 score of 6.4 (Medium) (NVD, Wiz).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue stems from inadequate input sanitization and output escaping of the 'id' parameter in the SurveyJS WordPress plugin. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges (Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft or manipulation of user interactions (NVD).

A fix has been implemented in the SurveyJS WordPress plugin repository as evidenced by the commit 6c332319c82c32d7148f77ed7ee20a9c6a5dc179. Users are advised to update their installations to versions newer than 1.12.32 to protect against this vulnerability (GitHub Commit).