Scan free
MEDIUMCVE-2025-13140CVSS 4.3

CVE-2025-13140: CSRF in SurveyJS Drag & Drop Form Builder

Platform

wordpress

Component

surveyjs

Fixed in

1.12.21

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-13140 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SurveyJS: Drag & Drop WordPress Form Builder plugin. This flaw allows unauthenticated attackers to potentially delete surveys on a WordPress site if they can manipulate a site administrator into performing an action. The vulnerability impacts versions from 0.0.0 through 1.12.20, but a fix is available in version 1.20.27.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of this CSRF vulnerability is the unauthorized deletion of surveys. An attacker could craft a malicious link or embed a hidden form that, when visited or submitted by a logged-in administrator, would trigger the SurveyJS_DeleteSurvey AJAX action without proper authentication. This could lead to data loss and disruption of survey functionality. While the attacker needs to trick an administrator into performing the action, the potential for widespread survey deletion makes this a significant risk, particularly for sites relying heavily on survey data for critical business processes. The attack surface is broad, affecting any WordPress site using the vulnerable plugin version.

Exploitation Context

This vulnerability was publicly disclosed on December 2, 2025. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 indicates a medium level of exploitability and impact. It has not been added to the CISA KEV catalog at the time of this writing. Active exploitation is not currently confirmed, but the ease of exploitation (requiring only social engineering of an administrator) suggests potential for future campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (3% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentsurveyjs
Vendorwordfence
Affected rangeFixed in
0.0.0 – 1.12.201.12.21

Package Information

Active installs
500
Plugin rating
4.7
Requires WordPress
6.4+
Compatible up to
6.9.4
Requires PHP
8.2+
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The recommended mitigation is to immediately upgrade the SurveyJS: Drag & Drop WordPress Form Builder plugin to version 1.20.27 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the SurveyJS_DeleteSurvey endpoint that lack a valid nonce. Additionally, restrict access to the survey management area to authorized personnel only. Regularly review WordPress user roles and permissions to ensure least privilege access. After upgrading, confirm the fix by attempting to delete a survey via a browser with no administrator privileges; the action should be denied.

How to fix

Update to version 1.20.27, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13140 — CSRF in SurveyJS Drag & Drop Form Builder?

CVE-2025-13140 is a Cross-Site Request Forgery vulnerability in the SurveyJS Drag & Drop Form Builder plugin for WordPress, allowing attackers to delete surveys by tricking administrators.

Am I affected by CVE-2025-13140 in SurveyJS Drag & Drop Form Builder?

You are affected if you are using SurveyJS Drag & Drop Form Builder versions 0.0.0 through 1.12.20. Upgrade to mitigate the risk.

How do I fix CVE-2025-13140 in SurveyJS Drag & Drop Form Builder?

Upgrade the plugin to version 1.20.27 or later. As a temporary workaround, implement a WAF rule to block unauthorized requests to the SurveyJS_DeleteSurvey endpoint.

Is CVE-2025-13140 being actively exploited?

Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation suggests potential for future attacks.

Where can I find the official SurveyJS advisory for CVE-2025-13140?

Refer to the official SurveyJS security advisory for detailed information and updates: [https://surveyjs.io/security/CVE-2025-13140](https://surveyjs.io/security/CVE-2025-13140)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs