What is CVE-2025-48098?

CVE-2025-48098 is a publicly disclosed cybersecurity vulnerability with a HIGH severity rating and CVSS score of 7.1.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-48098

HIGH7.1/ 10.0

Published: October 22, 2025 at 03:15 PM

Modified: January 20, 2026 at 03:16 PM

Source: audit@patchstack.com

Vulnerability Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Survey Maker survey-maker allows Stored XSS.This issue affects Survey Maker: from n/a through <= 5.1.8.8.

CVSS Metrics

Base Score

7.1

Severity

HIGH

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Weaknesses (CWE)

CWE-79

Source: audit@patchstack.com

AI Security Analysis

01 // Technical Summary

Cross-Site Scripting (XSS) vulnerabilities in the Ays Pro Survey Maker plugin allow attackers to inject malicious JavaScript code into web pages, potentially leading to account compromise, data theft, and website defacement. This flaw, present in versions up to 5.1.8.8, can be exploited by crafting malicious input that is not properly sanitized before being displayed to other users, enabling attackers to execute arbitrary code within the context of the vulnerable website.

02 // Vulnerability Mechanism

Step 1: Payload Injection: An attacker crafts a malicious JavaScript payload (e.g., <script>alert('XSS')</script>) and injects it into a vulnerable input field within the Survey Maker plugin, such as a survey question, answer option, or user comment field.

Step 2: Data Storage: The malicious payload is stored within the plugin's database, associated with the survey or user data.

Step 3: Payload Retrieval: When a legitimate user views the survey or interacts with the data containing the malicious payload, the plugin retrieves the stored data from the database.

Step 4: Unsanitized Rendering: The plugin fails to properly sanitize or encode the attacker's injected JavaScript payload before rendering it in the HTML output.

Step 5: Code Execution: The user's web browser interprets the injected JavaScript as part of the webpage's code and executes it within the context of the vulnerable website, leading to the XSS attack.

03 // Deep Technical Analysis

The vulnerability stems from an improper neutralization of input during web page generation. Specifically, the Survey Maker plugin fails to adequately sanitize user-supplied data before displaying it within the survey interface. This allows attackers to inject malicious JavaScript payloads into fields such as survey questions, answers, or user comments. When other users view the survey or interact with the compromised data, the injected script executes within their browsers, enabling a wide range of attacks. The root cause is likely a missing or insufficient input validation and output encoding mechanism within the plugin's code, allowing unsanitized user input to be directly rendered in the HTML output.