CVE-2025-13140: SurveyJS WordPress Plugin Vulnerable to CSRF – Delete Your Surveys Now!

by

Published: 2025-12-02T07:15:48.520

Overview

A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-13140, affects the SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress. This vulnerability exists in all versions up to and including 1.12.20. An unauthenticated attacker can exploit this flaw to delete surveys if they can trick a site administrator into clicking a malicious link or performing an action that triggers a forged request.

Technical Details

The vulnerability stems from a missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. WordPress uses nonces as security tokens to verify that HTTP requests originate from the same session. Without proper nonce validation, an attacker can craft a malicious request to delete surveys. If an authenticated administrator visits a webpage controlled by the attacker (e.g., clicks a specially crafted link), their browser will automatically include the admin’s session cookies, allowing the attacker to execute the SurveyJS_DeleteSurvey action on the administrator’s behalf.

Affected file: ajax_handlers/delete_survey.php

CVSS Analysis

  • Severity: MEDIUM
  • CVSS Score: 4.3
  • CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N (Example Vector – may require adjustment based on official analysis)

Possible Impact

A successful CSRF attack could result in the unauthorized deletion of surveys stored within the WordPress database. This can lead to data loss, disruption of survey-based data collection processes, and potential reputational damage if critical surveys are deleted.

Mitigation or Patch Steps

The vulnerability has been addressed in versions later than 1.12.20. To mitigate this vulnerability, users are strongly advised to:

  1. Update the SurveyJS plugin: Upgrade to the latest version of the SurveyJS: Drag & Drop WordPress Form Builder plugin through the WordPress dashboard. This version includes the necessary security fix.
  2. Exercise Caution: Be wary of clicking on suspicious links or opening unsolicited emails, especially those requesting you to perform actions on your WordPress site.

References

Leave a Comment