プラットフォーム
wordpress
コンポーネント
surveyjs
修正版
2.5.4
CVE-2025-13139 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SurveyJS: Drag & Drop WordPress Form Builder plugin. This vulnerability allows unauthenticated attackers to create surveys by crafting malicious requests and tricking a site administrator into executing them. The vulnerability impacts versions 0.0.0 through 2.5.2 of the plugin, and a fix is available in version 2.5.3.
An attacker exploiting this CSRF vulnerability could create arbitrary surveys on a WordPress site without authentication. This could lead to the injection of malicious content, data theft, or further exploitation depending on the survey's functionality and how it's used. The impact is amplified if the site administrator is tricked into performing actions that automatically publish or distribute these malicious surveys. While the initial attack requires social engineering to trick an administrator, the potential consequences can be significant, potentially impacting site integrity and user data.
This vulnerability was publicly disclosed on 2026-01-24. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation, it is possible that attackers may develop and deploy PoCs in the future.
WordPress sites utilizing the SurveyJS: Drag & Drop Form Builder plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if they haven't applied the patch.
• wordpress / composer / npm:
grep -r 'SurveyJS_AddSurvey' /var/www/html/wp-content/plugins/survey-js/includes/ajax-actions.php• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=SurveyJS_AddSurvey&... # Check for missing noncedisclosure
エクスプロイト状況
EPSS
0.01% (3% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-13139 is to immediately upgrade the SurveyJS: Drag & Drop WordPress Form Builder plugin to version 2.5.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and output encoding on the SurveyJS_AddSurvey AJAX action. Additionally, enabling WordPress's core CSRF protection mechanisms, such as using nonces, can provide an additional layer of defense. Regularly review WordPress plugin installations and ensure they are from trusted sources.
バージョン2.5.3、またはそれ以降の修正されたバージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-13139 is a Cross-Site Request Forgery (CSRF) vulnerability in the SurveyJS Drag & Drop WordPress Form Builder plugin, allowing attackers to create surveys via forged requests.
You are affected if you are using SurveyJS Drag & Drop Form Builder versions 0.0.0 through 2.5.2. Upgrade to 2.5.3 or later to mitigate the risk.
Upgrade the SurveyJS Drag & Drop Form Builder plugin to version 2.5.3 or later. Consider implementing stricter input validation and enabling WordPress's core CSRF protection.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted in the future.
Refer to the official SurveyJS advisory on their website or GitHub repository for detailed information and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。