Aggregates CVE and security vulnerability intelligence across all getperfectsurvey-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk cross-site scripting, vendor risk sql injection, and vendor risk csrf, with potential vendor impact session compromise across vendor surface software deployment use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2021-24765 | The Perfect Survey WordPress plugin through 1.5.2 does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue | [email protected] | 6.1 | 3.23% | 2022-02-01 | 2024-11-21 |
| CVE-2021-24764 | The Perfect Survey WordPress plugin before 1.5.2 does not sanitise and escape multiple parameters (id and filters[session_id] of single_statistics page, type and message of importexport page) before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues | [email protected] | 6.1 | 0.20% | 2022-02-01 | 2024-11-21 |
| CVE-2021-24763 | The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey | [email protected] | 8.8 | 0.53% | 2022-02-01 | 2024-11-21 |
| CVE-2021-24762 | The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection. | [email protected] | 9.8 | 85.67% | 2022-02-01 | 2024-11-21 |