WP-Safety

Survey Maker Security & Risk Analysis

wordpress.org/plugins/survey-maker

Create free online surveys and get your visitors' feedbacks directly on your WordPress website with WordPress Survey Plugin

6K active installs v5.2.1.7 PHP + WP 4.0+ Updated Apr 15, 2026
feedbackformform-builderquestionnairesurvey
90
A · Safe
CVEs total23
Unpatched0
Last CVENov 14, 2025
Plugin page Download
Safety Verdict

Is Survey Maker Safe to Use in 2026?

Generally Safe

Score 90/100

Survey Maker has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

23 known CVEsLast CVE: Nov 14, 2025Updated 1mo ago
Risk Assessment

The "survey-maker" plugin, version 5.2.1.2, presents a mixed security posture. While it demonstrates some good practices, such as a high percentage of SQL queries using prepared statements and a reasonable number of nonce and capability checks, significant concerns exist.

The static analysis reveals a large attack surface, with 16 out of 22 entry points lacking authentication checks. This is further exacerbated by 14 critical taint flows identified, all stemming from unsanitized paths. These findings strongly suggest that user-supplied input is not being adequately validated or sanitized, creating a direct pathway for malicious data to be processed.

The plugin's vulnerability history is deeply troubling, with a substantial 23 known CVEs, including 6 high-severity issues and 17 medium-severity issues. The prevalence of improper authorization, SQL injection, and XSS vulnerabilities in its past indicates a recurring pattern of insecure coding practices. Although there are currently no unpatched CVEs, the sheer volume of past vulnerabilities, particularly those involving authorization and input handling, points to a systemic security weakness that requires significant attention. The recent vulnerability date suggests a continued, though perhaps recently addressed, pattern of issues.

Key Concerns

  • Large attack surface without auth checks
  • High number of critical taint flows
  • Numerous past high-severity CVEs
  • Numerous past medium-severity CVEs
  • History of authorization issues
  • History of SQL Injection vulnerabilities
  • History of XSS vulnerabilities
  • Significant amount of unescaped output
Vulnerabilities
23 published

Survey Maker Security Vulnerabilities

CVEs by Year

3 CVEs in 2021
2021
1 CVE in 2022
2022
4 CVEs in 2023
2023
7 CVEs in 2024
2024
8 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
6
Medium
17

23 total CVEs

CVE-2025-64276medium · 4.3Missing Authorization

Survey Maker <= 5.1.9.4 - Missing Authorization

Nov 14, 2025 Patched in 5.1.9.5 (4d)
CVE-2025-12891medium · 5.3Missing Authorization

Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Information Exposure

Nov 12, 2025 Patched in 5.1.9.5 (1d)
CVE-2025-12892medium · 5.3Missing Authorization

Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Limited Option Update

Nov 12, 2025 Patched in 5.1.9.5 (5d)
CVE-2025-48095medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 5.1.8.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 9, 2025 Patched in 5.1.8.9 (21d)
CVE-2025-48098high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 5.1.8.8 - Unauthenticated Stored Cross-Site Scripting

Oct 9, 2025 Patched in 5.1.8.9 (21d)
CVE-2025-32275medium · 5.3Improper Authorization

Survey Maker <= 5.1.6.3 - Unauthenticated Authorization Bypass

Apr 7, 2025 Patched in 5.1.6.4 (45d)
CVE-2025-22664medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 5.1.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Feb 3, 2025 Patched in 5.1.3.6 (10d)
CVE-2024-13505medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 5.1.3.3 - Authenticated (Admin+) Stored Cross-Site Scripting via Survey Question

Jan 25, 2025 Patched in 5.1.3.4 (1d)
CVE-2024-50426medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 5.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 24, 2024 Patched in 5.0.3 (7d)
CVE-2024-8488medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker – Customer Satisfaction Questionnaire, Chat Survey, Calculation Form, Payment Forms <= 4.9.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Oct 7, 2024 Patched in 4.9.6 (1d)
CVE-2024-4061medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker – Customer Satisfaction Survey, Chat Survey, Calculaton Form, Payment Surveys <= 4.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 30, 2024 Patched in 4.2.9 (38d)
CVE-2023-35764medium · 5.3Use of Less Trusted Source

Survey Maker <= 4.0.9 - IP Address Spoofing

Apr 27, 2024 Patched in 4.1.0 (11d)
CVE-2023-34423high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker – Best WordPress Survey Plugin <= 3.6.6 - Unauthenticated Stored Cross-Site Scripting

Apr 27, 2024 Patched in 3.6.4 (11d)
CVE-2024-29918medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 4.0.6 - Reflected Cross-Site Scripting

Mar 25, 2024 Patched in 4.0.7 (8d)
CVE-2024-27996medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 4.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 15, 2024 Patched in 4.0.6 (6d)
CVE-2023-2572medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 3.4.6 - Reflected Cross-Site Scripting via 'page' parameter

May 15, 2023 Patched in 3.4.7 (253d)
CVE-2023-22697medium · 5.3Missing Authorization

Survey Maker <= 3.2.0 - Missing Authorization

Jan 27, 2023 Patched in 3.2.1 (722d)
CVE-2023-23490high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Survey Maker < 3.1.2 - Authenticated (Subscriber+) SQL Injection

Jan 12, 2023 Patched in 3.1.2 (376d)
CVE-2023-0038high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker – Best WordPress Survey Plugin <= 3.1.3 - Unauthenticated Stored Cross-Site Scripting

Jan 3, 2023 Patched in 3.1.4 (385d)
WF-094c0952-4e28-4ed0-80ae-14fcf10cf2e1-survey-makermedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker – Best WordPress Survey Plugin <= 3.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Dec 22, 2022 Patched in 3.1.2 (397d)
CVE-2021-26256high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker <= 2.0.6 - Unauthenticated Stored Cross-Site Scripting

Dec 3, 2021 Patched in 2.0.7 (780d)
WF-b2594fcc-ae07-4f3f-a4fe-0c19524b0193-survey-makermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Survey Maker – Best WordPress Survey Plugin <= 1.5.5 - Reflected Cross-Site Scripting

Jun 29, 2021 Patched in 1.5.6 (938d)
CVE-2021-24459high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Survey Maker < 1.5.6 - Authenticated SQL Injection

Jun 29, 2021 Patched in 1.5.6 (938d)
Version History

Survey Maker Release Timeline

v5.2.1.7Current
v5.2.1.6
v5.2.1.5
v5.2.1.4
v5.2.1.3
v5.2.1.2
v5.2.1.1
v5.2.1.0
v5.2.0.9
v5.2.0.8
v5.2.0.7
v5.2.0.6
v5.2.0.5
v5.2.0.4
v5.2.0.3
v5.2.0.2
v5.2.0.1
v5.2.0.0
v5.1.9.9
v5.1.9.8
Code Analysis
Analyzed Mar 16, 2026

Survey Maker Code Analysis

Dangerous Functions
0
Raw SQL Queries
24
152 prepared
Unescaped Output
1909
4117 escaped
Nonce Checks
27
Capability Checks
20
File Operations
8
External Requests
4
Bundled Libraries
2

Bundled Libraries

DataTablesSelect2

SQL Query Safety

86% prepared176 total queries

Output Escaping

68% escaped6026 total outputs
Data Flows · Security
16 unsanitized

Data Flow Analysis

25 flows16 with unsanitized paths
ays_survey_ajax (public\class-survey-maker-public.php:166)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
16 unprotected

Survey Maker Attack Surface

Entry Points22
Unprotected16

AJAX Handlers 17

authwp_ajax_ays_survey_deactivate_feedbackincludes\class-survey-maker-feedback.php:35
authwp_ajax_ays_survey_submission_reportincludes\class-survey-maker.php:262
noprivwp_ajax_ays_survey_submission_reportincludes\class-survey-maker.php:263
authwp_ajax_deactivate_plugin_option_smincludes\class-survey-maker.php:266
noprivwp_ajax_deactivate_plugin_option_smincludes\class-survey-maker.php:267
authwp_ajax_ays_survey_maker_live_preview_contentincludes\class-survey-maker.php:270
noprivwp_ajax_ays_survey_maker_live_preview_contentincludes\class-survey-maker.php:271
authwp_ajax_ays_survey_show_resultsincludes\class-survey-maker.php:274
noprivwp_ajax_ays_survey_show_resultsincludes\class-survey-maker.php:275
authwp_ajax_ays_survey_add_survey_templateincludes\class-survey-maker.php:278
noprivwp_ajax_ays_survey_add_survey_templateincludes\class-survey-maker.php:279
authwp_ajax_ays_survey_author_user_searchincludes\class-survey-maker.php:281
noprivwp_ajax_ays_survey_author_user_searchincludes\class-survey-maker.php:282
authwp_ajax_ays_survey_install_pluginincludes\class-survey-maker.php:285
authwp_ajax_ays_survey_activate_pluginincludes\class-survey-maker.php:286
authwp_ajax_ays_survey_ajaxincludes\class-survey-maker.php:340
noprivwp_ajax_ays_survey_ajaxincludes\class-survey-maker.php:341

Shortcodes 5

[ays_survey] public\class-survey-maker-public.php:68
[ays_survey_popup] public\class-survey-maker-public.php:69
[ays_survey_most_popular] public\partials\class-survey-maker-most-popular-shortcode.php:18
[ays_survey_submissions_summary] public\partials\class-survey-maker-submissions-summary-shortcode.php:57
[ays_survey_links_by_category] public\partials\class-survey-maker-survey-links-by-category.php:16
WordPress Hooks 85
filterset-screen-optionadmin\class-survey-maker-admin.php:130
filterparent_fileadmin\class-survey-maker-admin.php:616
actionadmin_noticesadmin\class-survey-maker-admin.php:4702
actionplugins_loadedincludes\class-survey-maker-ays-welcome.php:18
actionadmin_menuincludes\class-survey-maker-ays-welcome.php:22
actionadmin_headincludes\class-survey-maker-ays-welcome.php:23
actionadmin_initincludes\class-survey-maker-ays-welcome.php:24
actionadmin_enqueue_scriptsincludes\class-survey-maker-ays-welcome.php:25
actioninitincludes\class-survey-maker-custom-post-type.php:14
actioncurrent_screenincludes\class-survey-maker-feedback.php:26
actionadmin_enqueue_scriptsincludes\class-survey-maker-feedback.php:31
actionadmin_footerincludes\class-survey-maker-feedback.php:61
actionplugins_loadedincludes\class-survey-maker.php:224
actionadmin_enqueue_scriptsincludes\class-survey-maker.php:239
actionadmin_enqueue_scriptsincludes\class-survey-maker.php:240
actionadmin_enqueue_scriptsincludes\class-survey-maker.php:241
actionadmin_menuincludes\class-survey-maker.php:244
actionadmin_menuincludes\class-survey-maker.php:245
actionadmin_menuincludes\class-survey-maker.php:246
actionadmin_menuincludes\class-survey-maker.php:247
actionadmin_menuincludes\class-survey-maker.php:248
actionadmin_menuincludes\class-survey-maker.php:250
actionadmin_menuincludes\class-survey-maker.php:251
actionadmin_menuincludes\class-survey-maker.php:252
actionadmin_menuincludes\class-survey-maker.php:253
actionadmin_menuincludes\class-survey-maker.php:254
actionadmin_menuincludes\class-survey-maker.php:257
actionadmin_menuincludes\class-survey-maker.php:260
actionadmin_enqueue_scriptsincludes\class-survey-maker.php:297
actionin_admin_footerincludes\class-survey-maker.php:299
actionelementor/widgets/widgets_registeredincludes\class-survey-maker.php:302
filterplugin_row_metaincludes\class-survey-maker.php:307
actionays_survey_sale_bannerincludes\class-survey-maker.php:311
actioncurrent_screenincludes\class-survey-maker.php:314
actionwp_enqueue_scriptsincludes\class-survey-maker.php:335
actionwp_footerincludes\class-survey-maker.php:337
actionays_sm_survey_page_integrationsincludes\class-survey-maker.php:357
actionays_sm_settings_page_integrationsincludes\class-survey-maker.php:360
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:364
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:367
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:371
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:374
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:378
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:381
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:385
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:388
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:392
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:395
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:399
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:402
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:406
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:411
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:416
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:418
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:423
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:425
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:430
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:432
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:437
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:439
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:444
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:447
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:452
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:455
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:460
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:463
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:468
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:471
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:476
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:479
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:484
filterays_sm_settings_page_integrations_contentsincludes\class-survey-maker.php:489
filterays_sm_survey_page_integrations_contentsincludes\class-survey-maker.php:492
actionadmin_noticesincludes\lists\class-survey-maker-each-submission-list-table.php:13
filterdefault_hidden_columnsincludes\lists\class-survey-maker-each-submission-list-table.php:14
actionadmin_noticesincludes\lists\class-survey-maker-popup-survey-list-table.php:41
actionadmin_noticesincludes\lists\class-survey-maker-submissions-list-table.php:15
actionadmin_noticesincludes\lists\class-survey-maker-survey-categories-list-table.php:41
actionadmin_noticesincludes\lists\class-survey-maker-surveys-list-table.php:54
filterdefault_hidden_columnsincludes\lists\class-survey-maker-surveys-list-table.php:55
actionenqueue_block_editor_assetssurvey\survey-maker-block.php:132
actionenqueue_block_assetssurvey\survey-maker-block.php:135
actioninitsurvey\survey-maker-block.php:139
actionplugins_loadedsurvey-maker.php:85
actionadmin_noticessurvey-maker.php:106
Maintenance & Trust

Survey Maker Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 15, 2026
PHP min version
Downloads637K

Community Trust

Rating96/100
Number of ratings77
Active installs6K
Alternatives

Survey Maker Alternatives

Formera

Formera

formera

A
100

An advanced, high-performance Survey Maker with a premium SaaS-style interface.

0 No CVEs
Questionnaire Builder

Questionnaire Builder

questionnaire-builder

A
92

An easy to use and lightweight questionnaire builder plugin for WordPress. Create questionnaires, manage questions, and collect responses.

0 No CVEs
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

formidable

B
76

The most advanced WordPress forms plugin. Go beyond contact forms with our drag and drop form builder for surveys, quizzes, and more.

300K 23 CVEs
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

everest-forms

B
77

The best WordPress form builder. Create contact forms, payment forms, conversational forms, custom forms, surveys, & quizzes using drag and drop.

100K 15 CVEs
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

form-maker

B
82

Form Maker is a user-friendly contact form builder that allows to create forms for any purpose, from a simple contact form to multi page survey forms

30K 36 CVEs
Developer Profile

Survey Maker Developer Profile

Ays Pro

18 plugins · 111K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
203 days
View full developer profile
Detection Fingerprints

How We Detect Survey Maker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/survey-maker/public/css/frontend.css/wp-content/plugins/survey-maker/public/css/style.css/wp-content/plugins/survey-maker/public/js/frontend.js/wp-content/plugins/survey-maker/public/js/scripts.js/wp-content/plugins/survey-maker/admin/css/admin.css/wp-content/plugins/survey-maker/admin/js/admin.js
Script Paths
/wp-content/plugins/survey-maker/public/js/frontend.js/wp-content/plugins/survey-maker/public/js/scripts.js/wp-content/plugins/survey-maker/admin/js/admin.js
Version Parameters
survey-maker/public/css/frontend.css?ver=survey-maker/public/css/style.css?ver=survey-maker/public/js/frontend.js?ver=survey-maker/public/js/scripts.js?ver=survey-maker/admin/css/admin.css?ver=survey-maker/admin/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
ays-notice-bannerays-survey-upgrade-containerays-navigation-container-updrade-button-boxsurvey-maker-frontendsurvey-maker-form-id-
HTML Comments
<!-- Survey Maker plugin allows you to create unlimited surveys with unlimited sections and unlimited questions. --><!-- Currently plugin version. --><!-- Start at version 1.0.0 and use SemVer - https://semver.org --><!-- Rename this for your plugin and update it as you release new versions. -->+16 more
Data Attributes
data-survey-iddata-survey-form-id
JS Globals
SURVEY_MAKER_VERSIONSURVEY_MAKER_NAME_VERSIONSURVEY_MAKER_NAMESURVEY_MAKER_DB_PREFIXSURVEY_MAKER_BASENAMESURVEY_MAKER_DIR+5 more
Shortcode Output
[survey-maker-id-[survey-maker-form-id-
FAQ

Frequently Asked Questions about Survey Maker