CVE-2025-10196

Root

Cause The Survey Anyplace WordPress plugin versions up to and including 1.0.0 contain a stored cross-site scripting (XSS) vulnerability in the surveyanyplace_embed shortcode. The plugin fails to properly sanitize user-supplied attributes (such as style, button_text, or presentation-related fields) before embedding them into output rendered in templates like surveyanyplace.php [1][2]. Insufficient input validation and output escaping allow arbitrary HTML and JavaScript to be injected.

Exploitation

An authenticated attacker with at least Contributor-level access can create or edit a post or page and insert the vulnerable shortcode with malicious payloads in attribute values. The injected code is then stored in the WordPress database and executed in the browser of any visitor who views the affected content. No additional privileges or complex network access are required beyond standard post editing capabilities.

Impact

Successful exploitation results in arbitrary web script execution in the context of the victim's browser session. This can be leveraged to steal session cookies, perform actions on behalf of the victim, deface pages, or redirect users to malicious sites. The XSS is stored, meaning the payload persists and affects multiple users over time.

Mitigation

The vendor has not released a patched version at the time of publication; the vulnerability affects all versions up to 1.0.0. Users should disable the plugin or restrict contributor and author roles until a security update is available. There is no indication this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.