Plattform
wordpress
Komponente
surveyjs
Behoben in
1.12.21
CVE-2025-13140 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SurveyJS: Drag & Drop WordPress Form Builder plugin. This flaw allows unauthenticated attackers to potentially delete surveys on a WordPress site if they can manipulate a site administrator into performing an action. The vulnerability impacts versions from 0.0.0 through 1.12.20, but a fix is available in version 1.20.27.
The primary impact of this CSRF vulnerability is the unauthorized deletion of surveys. An attacker could craft a malicious link or embed a hidden form that, when visited or submitted by a logged-in administrator, would trigger the SurveyJS_DeleteSurvey AJAX action without proper authentication. This could lead to data loss and disruption of survey functionality. While the attacker needs to trick an administrator into performing the action, the potential for widespread survey deletion makes this a significant risk, particularly for sites relying heavily on survey data for critical business processes. The attack surface is broad, affecting any WordPress site using the vulnerable plugin version.
This vulnerability was publicly disclosed on December 2, 2025. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 indicates a medium level of exploitability and impact. It has not been added to the CISA KEV catalog at the time of this writing. Active exploitation is not currently confirmed, but the ease of exploitation (requiring only social engineering of an administrator) suggests potential for future campaigns.
WordPress sites utilizing the SurveyJS: Drag & Drop Form Builder plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites that do not enforce strict access controls to the survey management area are also more vulnerable. Legacy WordPress installations running older versions of the plugin are especially susceptible.
• wordpress / composer / npm:
grep -r "SurveyJS_DeleteSurvey" /var/www/html/wp-content/plugins/surveyjs-drag-and-drop-form-builder/• generic web:
curl -I https://example.com/wp-admin/admin-ajax.php?action=SurveyJS_DeleteSurvey&survey_id=123 | grep -i "200 ok"• wordpress / composer / npm:
wp plugin list --status=all | grep 'surveyjs-drag-and-drop-form-builder'disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade the SurveyJS: Drag & Drop WordPress Form Builder plugin to version 1.20.27 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the SurveyJS_DeleteSurvey endpoint that lack a valid nonce. Additionally, restrict access to the survey management area to authorized personnel only. Regularly review WordPress user roles and permissions to ensure least privilege access. After upgrading, confirm the fix by attempting to delete a survey via a browser with no administrator privileges; the action should be denied.
Aktualisieren Sie auf Version 1.20.27 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13140 is a Cross-Site Request Forgery vulnerability in the SurveyJS Drag & Drop Form Builder plugin for WordPress, allowing attackers to delete surveys by tricking administrators.
You are affected if you are using SurveyJS Drag & Drop Form Builder versions 0.0.0 through 1.12.20. Upgrade to mitigate the risk.
Upgrade the plugin to version 1.20.27 or later. As a temporary workaround, implement a WAF rule to block unauthorized requests to the SurveyJS_DeleteSurvey endpoint.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation suggests potential for future attacks.
Refer to the official SurveyJS security advisory for detailed information and updates: [https://surveyjs.io/security/CVE-2025-13140](https://surveyjs.io/security/CVE-2025-13140)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.