Platform
wordpress
Component
surveyjs
Fixed in
1.10.0
2.5.4
CVE-2025-13205 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SurveyJS: Drag & Drop WordPress Form Builder plugin. This flaw allows unauthenticated attackers to potentially duplicate surveys by exploiting a lack of proper nonce validation within the SurveyJS_CloneSurvey AJAX action. The vulnerability impacts versions 1.0.0 through 2.5.2, and a fix is available in version 2.5.3.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to duplicate surveys without authentication. By crafting a malicious link and enticing a site administrator to click it, an attacker can trigger the SurveyJS_CloneSurvey action, effectively creating a copy of a survey. While seemingly minor, this could be leveraged for various malicious purposes, such as creating duplicate forms to collect sensitive data, disrupting legitimate survey operations, or potentially injecting malicious content into the duplicated forms. The blast radius is limited to the WordPress site using the vulnerable plugin and its administrators.
This vulnerability was publicly disclosed on 2026-01-24. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the plugin's popularity, it's prudent to assume potential for exploitation, especially if the plugin is widely deployed with default configurations.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the SurveyJS: Drag & Drop WordPress Form Builder plugin to version 2.5.3 or later. If upgrading is not immediately feasible, implement temporary workarounds. These include implementing Web Application Firewall (WAF) rules to filter requests to the SurveyJS_CloneSurvey action, requiring stricter user authentication and authorization controls, and educating administrators about the risks of clicking on untrusted links. Regularly review WordPress plugin security best practices and ensure all plugins are kept up-to-date.
Update to version 2.5.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13205 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 1.0.0–2.5.2 of the SurveyJS Drag & Drop Form Builder WordPress plugin, allowing unauthorized survey duplication.
If you are using SurveyJS Drag & Drop Form Builder version 1.0.0 through 2.5.2 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the SurveyJS Drag & Drop Form Builder plugin to version 2.5.3 or later to resolve the vulnerability. Implement WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability is relatively easy to exploit, so potential for exploitation exists.
Refer to the official SurveyJS security advisory for detailed information and updates: [https://surveyjs.io/security/CVE-2025-13205](https://surveyjs.io/security/CVE-2025-13205)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.