CVE-2025-23485

The RS Survey plugin for WordPress (versions up to and including 1.0) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw arises when the plugin fails to sanitize or escape input before reflecting it in HTTP responses, enabling an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The attacker does not need authentication to deliver the payload, but the victim must be a privileged user (e.g., an administrator) to trigger the execution. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites [1].

Successful exploitation allows an attacker to inject malicious scripts that can perform actions like redirecting visitors to attacker-controlled sites, displaying advertisements, or stealing session cookies. The CVSS v3 base score of 7.1 (High) reflects the potential for significant impact on confidentiality, integrity, and availability [1].

As of the publication date, no official patch is available. However, Patchstack has issued a mitigation rule to block attacks until an update can be safely applied. Users are advised to update the plugin immediately or contact their hosting provider for assistance [1].