VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 23 known issues Latest disclosed Nov 14, 2025

Survey Maker by AYS Vulnerabilities

Review known vulnerability records for the WordPress plugin Survey Maker by AYS (`survey-maker`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-64276, CVE-2025-12891 and CVE-2025-12892, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
23
High or Critical
6
Patch Coverage
100%
Last Updated
Nov 17, 2025
Priority CVE Quick Links

Fast paths into Survey Maker by AYS CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
21
CVE-2023-23490 High 3.1.2
CVE-2023-23490 Survey Maker by AYS SQL Injection

Survey Maker < 3.1.2 - Authenticated (Subscriber+) SQL Injection

CVE-2021-24459 High 1.5.6
CVE-2021-24459 Survey Maker by AYS SQL Injection

Survey Maker < 1.5.6 - Authenticated SQL Injection

CVE-2025-48098 High 5.1.8.9
CVE-2025-48098 Survey Maker by AYS Stored Cross-Site Scripting

Survey Maker <= 5.1.8.8 - Unauthenticated Stored Cross-Site Scripting

CVE-2023-34423 High 3.6.4
CVE-2023-34423 Survey Maker by AYS Stored Cross-Site Scripting

Survey Maker – Best WordPress Survey Plugin <= 3.6.6 - Unauthenticated Stored Cross-Site Scripting

CVE-2023-0038 High 3.1.4
CVE-2023-0038 Survey Maker by AYS Stored Cross-Site Scripting

Survey Maker – Best WordPress Survey Plugin <= 3.1.3 - Unauthenticated Stored Cross-Site Scripting

CVE-2021-26256 High 2.0.7
CVE-2021-26256 Survey Maker by AYS Stored Cross-Site Scripting

Survey Maker <= 2.0.6 - Unauthenticated Stored Cross-Site Scripting

CVE-2024-29918 Medium 4.0.7
CVE-2024-29918 Survey Maker by AYS Cross-Site Scripting

Survey Maker <= 4.0.6 - Reflected Cross-Site Scripting

CVE-2023-2572 Medium 3.4.7
CVE-2023-2572 Survey Maker by AYS Cross-Site Scripting

Survey Maker <= 3.4.6 - Reflected Cross-Site Scripting via 'page' parameter

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Survey Maker by AYS so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
23 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 6 high severity findings.
Recent CVEs
CVE-2025-64276, CVE-2025-12891 and CVE-2025-12892
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Survey Maker by AYS

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-64276
CVE-2025-64276: Survey Maker <= 5.1.9.4 - Missing Authorization

The Survey Maker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.1.9.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an una...

Published
Nov 14, 2025
Patched Release
5.1.9.5
Affected Versions
Versions up to 5.1.9.4
Next Step
Update to 5.1.9.5 or newer if supported.
Open CVE-2025-64276 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12891
CVE-2025-12891: Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Information Exposure

The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all surv...

Published
Nov 12, 2025
Patched Release
5.1.9.5
Affected Versions
Versions up to 5.1.9.4
Next Step
Update to 5.1.9.5 or newer if supported.
Open CVE-2025-12891 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12892
CVE-2025-12892: Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Limited Option Update

The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to update the...

Published
Nov 12, 2025
Patched Release
5.1.9.5
Affected Versions
Versions up to 5.1.9.4
Next Step
Update to 5.1.9.5 or newer if supported.
Open CVE-2025-12892 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-48098
CVE-2025-48098: Survey Maker <= 5.1.8.8 - Unauthenticated Stored Cross-Site Scripting

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages t...

Published
Oct 09, 2025
Patched Release
5.1.8.9
Affected Versions
Versions up to 5.1.8.8
Next Step
Update to 5.1.8.9 or newer if supported.
Open CVE-2025-48098 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-48095
CVE-2025-48095: Survey Maker <= 5.1.8.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above,...

Published
Oct 09, 2025
Patched Release
5.1.8.9
Affected Versions
Versions up to 5.1.8.8
Next Step
Update to 5.1.8.9 or newer if supported.
Open CVE-2025-48095 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-32275
CVE-2025-32275: Survey Maker <= 5.1.6.3 - Unauthenticated Authorization Bypass

The Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.6.3. This makes it possible for unauthenticated attackers to by bypass some level of control, though it is unclear what this means from the original reporting CNA...

Published
Apr 07, 2025
Patched Release
5.1.6.4
Affected Versions
Versions up to 5.1.6.3
Next Step
Update to 5.1.6.4 or newer if supported.
Open CVE-2025-32275 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-22664
CVE-2025-22664: Survey Maker <= 5.1.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.1.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above,...

Published
Feb 03, 2025
Patched Release
5.1.3.6
Affected Versions
Versions up to 5.1.3.5
Next Step
Update to 5.1.3.6 or newer if supported.
Open CVE-2025-22664 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13505
CVE-2024-13505: Survey Maker <= 5.1.3.3 - Authenticated (Admin+) Stored Cross-Site Scripting via Survey Question

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ays_sections[5][questions][8][title]’ parameter in all versions up to, and including, 5.1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authent...

Published
Jan 25, 2025
Patched Release
5.1.3.4
Affected Versions
Versions up to 5.1.3.3
Next Step
Update to 5.1.3.4 or newer if supported.
Open CVE-2024-13505 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-50426
CVE-2024-50426: Survey Maker <= 5.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to...

Published
Oct 24, 2024
Patched Release
5.0.3
Affected Versions
Versions up to 5.0.2
Next Step
Update to 5.0.3 or newer if supported.
Open CVE-2024-50426 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-8488
CVE-2024-8488: Survey Maker – Customer Satisfaction Questionnaire, Chat Survey, Calculation Form, Payment Forms <= 4.9.7 - Authenticated (Admin+) Stored Cross-Site Scripting

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Survey fields in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-leve...

Published
Oct 07, 2024
Patched Release
4.9.6
Affected Versions
Versions up to 4.9.5
Next Step
Update to 4.9.6 or newer if supported.
Open CVE-2024-8488 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4061
CVE-2024-4061: Survey Maker – Customer Satisfaction Survey, Chat Survey, Calculaton Form, Payment Surveys <= 4.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting

The Survey Maker – Customer Satisfaction Survey, Chat Survey, Calculaton Form, Payment Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escapi...

Published
Apr 30, 2024
Patched Release
4.2.9
Affected Versions
Versions up to 4.2.8
Next Step
Update to 4.2.9 or newer if supported.
Open CVE-2024-4061 Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-34423
CVE-2023-34423: Survey Maker – Best WordPress Survey Plugin <= 3.6.6 - Unauthenticated Stored Cross-Site Scripting

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbit...

Published
Apr 27, 2024
Patched Release
3.6.4
Affected Versions
Versions up to 3.6.3
Next Step
Update to 3.6.4 or newer if supported.
Open CVE-2023-34423 Report Open CVE Reference