SurveyJS: Drag & Drop WordPress Form Builder <= 2.5.2 - Cross-Site Request Forgery tot Survey Creatie
Platform
wordpress
Component
surveyjs
Opgelost in
2.5.4
CVE-2025-13139 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SurveyJS: Drag & Drop WordPress Form Builder plugin. This vulnerability allows unauthenticated attackers to create surveys by crafting malicious requests and tricking a site administrator into executing them. The vulnerability impacts versions 0.0.0 through 2.5.2 of the plugin, and a fix is available in version 2.5.3.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
An attacker exploiting this CSRF vulnerability could create arbitrary surveys on a WordPress site without authentication. This could lead to the injection of malicious content, data theft, or further exploitation depending on the survey's functionality and how it's used. The impact is amplified if the site administrator is tricked into performing actions that automatically publish or distribute these malicious surveys. While the initial attack requires social engineering to trick an administrator, the potential consequences can be significant, potentially impacting site integrity and user data.
Uitbuitingscontextwordt vertaald…
This vulnerability was publicly disclosed on 2026-01-24. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation, it is possible that attackers may develop and deploy PoCs in the future.
Wie Loopt Risicowordt vertaald…
WordPress sites utilizing the SurveyJS: Drag & Drop Form Builder plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if they haven't applied the patch.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'SurveyJS_AddSurvey' /var/www/html/wp-content/plugins/survey-js/includes/ajax-actions.php• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=SurveyJS_AddSurvey&... # Check for missing nonceAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.01% (3% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 500
- Plugin-beoordeling
- 4.7
- Vereist WordPress
- 6.4+
- Compatibel tot
- 6.9.4
- Vereist PHP
- 8.2+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-13139 is to immediately upgrade the SurveyJS: Drag & Drop WordPress Form Builder plugin to version 2.5.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and output encoding on the SurveyJS_AddSurvey AJAX action. Additionally, enabling WordPress's core CSRF protection mechanisms, such as using nonces, can provide an additional layer of defense. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Hoe te verhelpen
Update naar versie 2.5.3, of een nieuwere gepatchte versie
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-13139 — CSRF in SurveyJS Drag & Drop Form Builder?
CVE-2025-13139 is a Cross-Site Request Forgery (CSRF) vulnerability in the SurveyJS Drag & Drop WordPress Form Builder plugin, allowing attackers to create surveys via forged requests.
Am I affected by CVE-2025-13139 in SurveyJS Drag & Drop Form Builder?
You are affected if you are using SurveyJS Drag & Drop Form Builder versions 0.0.0 through 2.5.2. Upgrade to 2.5.3 or later to mitigate the risk.
How do I fix CVE-2025-13139 in SurveyJS Drag & Drop Form Builder?
Upgrade the SurveyJS Drag & Drop Form Builder plugin to version 2.5.3 or later. Consider implementing stricter input validation and enabling WordPress's core CSRF protection.
Is CVE-2025-13139 being actively exploited?
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted in the future.
Where can I find the official SurveyJS advisory for CVE-2025-13139?
Refer to the official SurveyJS advisory on their website or GitHub repository for detailed information and updates.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.