Platform
wordpress
Component
surveyjs
Fixed in
2.5.4
CVE-2025-13139 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SurveyJS: Drag & Drop WordPress Form Builder plugin. This vulnerability allows unauthenticated attackers to create surveys by crafting malicious requests and tricking a site administrator into executing them. The vulnerability impacts versions 0.0.0 through 2.5.2 of the plugin, and a fix is available in version 2.5.3.
An attacker exploiting this CSRF vulnerability could create arbitrary surveys on a WordPress site without authentication. This could lead to the injection of malicious content, data theft, or further exploitation depending on the survey's functionality and how it's used. The impact is amplified if the site administrator is tricked into performing actions that automatically publish or distribute these malicious surveys. While the initial attack requires social engineering to trick an administrator, the potential consequences can be significant, potentially impacting site integrity and user data.
This vulnerability was publicly disclosed on 2026-01-24. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation, it is possible that attackers may develop and deploy PoCs in the future.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13139 is to immediately upgrade the SurveyJS: Drag & Drop WordPress Form Builder plugin to version 2.5.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and output encoding on the SurveyJS_AddSurvey AJAX action. Additionally, enabling WordPress's core CSRF protection mechanisms, such as using nonces, can provide an additional layer of defense. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Update to version 2.5.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13139 is a Cross-Site Request Forgery (CSRF) vulnerability in the SurveyJS Drag & Drop WordPress Form Builder plugin, allowing attackers to create surveys via forged requests.
You are affected if you are using SurveyJS Drag & Drop Form Builder versions 0.0.0 through 2.5.2. Upgrade to 2.5.3 or later to mitigate the risk.
Upgrade the SurveyJS Drag & Drop Form Builder plugin to version 2.5.3 or later. Consider implementing stricter input validation and enabling WordPress's core CSRF protection.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted in the future.
Refer to the official SurveyJS advisory on their website or GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.