Plataforma
wordpress
Componente
surveyjs
Corregido en
2.5.4
CVE-2025-13194 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SurveyJS: Drag & Drop WordPress Form Builder plugin. This flaw allows unauthenticated attackers to potentially rename surveys on a WordPress site by tricking an administrator into performing a malicious action. The vulnerability affects versions 1.0.0 through 2.5.2, and a patch is available in version 2.5.3.
The primary impact of this CSRF vulnerability is the unauthorized renaming of surveys within the WordPress site. While seemingly minor, this could be leveraged to disrupt survey workflows, alter data collection processes, or even mask malicious surveys. An attacker could craft a malicious link or embed it in a phishing email, enticing an administrator to click it. Upon clicking, the attacker's forged request would be sent to the server, renaming the survey without the administrator's explicit consent. This could lead to confusion, data integrity issues, and potential denial of service if critical surveys are renamed or deleted.
This vulnerability was publicly disclosed on 2026-01-24. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively low complexity of CSRF exploitation, it is considered a medium probability of exploitation, particularly if the WordPress site has a large user base or is targeted by phishing campaigns.
WordPress sites utilizing the SurveyJS: Drag & Drop Form Builder plugin, particularly those with administrative users who are susceptible to phishing attacks or social engineering. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'SurveyJS_RenameSurvey' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=SurveyJS_RenameSurvey&surveyId=123 | grep -i '200 ok'disclosure
Estado del Exploit
EPSS
0.03% (8% percentil)
CISA SSVC
Vector CVSS
The recommended mitigation is to immediately upgrade the SurveyJS: Drag & Drop WordPress Form Builder plugin to version 2.5.3 or later. Prior to upgrading, it's advisable to back up your WordPress database and plugin files. If upgrading causes compatibility issues, consider temporarily disabling the plugin or reverting to a previous, known-stable version while investigating the conflict. There are no specific WAF rules or configuration workarounds available beyond upgrading the plugin. After upgrading, confirm the vulnerability is resolved by attempting to rename a survey via a crafted request and verifying that the action is denied.
Actualizar a la versión 2.5.3, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-13194 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the SurveyJS Drag & Drop Form Builder plugin for WordPress, allowing attackers to rename surveys via forged requests.
You are affected if you are using SurveyJS Drag & Drop Form Builder versions 1.0.0 through 2.5.2. Upgrade to version 2.5.3 or later to mitigate the risk.
Upgrade the SurveyJS Drag & Drop Form Builder plugin to version 2.5.3 or later. Back up your site before upgrading.
There are currently no known active exploits for CVE-2025-13194, but the risk remains due to the ease of CSRF exploitation.
Refer to the official SurveyJS security advisory for details and updates: [https://surveyjs.io/security/CVE-2025-13194](https://surveyjs.io/security/CVE-2025-13194)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.