{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12891", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-07T18:06:27.616Z", "datePublished": "2025-11-13T04:28:00.744Z", "dateUpdated": "2026-04-08T17:04:07.308Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:07.308Z"}, "affected": [{"vendor": "ays-pro", "product": "Survey Maker", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.9.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions."}], "title": "Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/835353e7-871d-4daf-9ed4-86321daf2366?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3394078/survey-maker/tags/5.1.9.5/admin/class-survey-maker-admin.php?old=3389474&old_path=survey-maker%2Ftags%2F5.1.9.4%2Fadmin%2Fclass-survey-maker-admin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "German"}], "timeline": [{"time": "2025-11-07T18:21:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-12T15:37:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-14T16:53:23.597376Z", "id": "CVE-2025-12891", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T16:53:33.943Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12891", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-14T16:53:23.597376Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T16:53:31.088Z"}}], "cna": {"title": "Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "German"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "ays-pro", "product": "Survey Maker", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.9.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-07T18:21:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-12T15:37:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/835353e7-871d-4daf-9ed4-86321daf2366?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3394078/survey-maker/tags/5.1.9.5/admin/class-survey-maker-admin.php?old=3389474&old_path=survey-maker%2Ftags%2F5.1.9.4%2Fadmin%2Fclass-survey-maker-admin.php"}], "descriptions": [{"lang": "en", "value": "The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:07.308Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12891", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:07.308Z", "dateReserved": "2025-11-07T18:06:27.616Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-13T04:28:00.744Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions."}], "id": "CVE-2025-12891", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-13T05:16:03.007", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3394078/survey-maker/tags/5.1.9.5/admin/class-survey-maker-admin.php?old=3389474&old_path=survey-maker%2Ftags%2F5.1.9.4%2Fadmin%2Fclass-survey-maker-admin.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/835353e7-871d-4daf-9ed4-86321daf2366?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:22:43.444231+00:00", "value": {"mitigation_remediation": ["Upgrade Survey Maker to version 5.1.9.5 or later, where the missing capability check has been added.", "If an upgrade is not immediately possible, block unauthenticated access to the 'ays_survey_show_results' AJAX endpoint by adding a capability check or restricting the endpoint via a security plugin or .htaccess rule.", "Monitor site logs for anomalous AJAX requests and ensure that only authenticated users can invoke survey result endpoints."], "summary": {"action": "Patch Now", "impact": "Information disclosure"}, "threat_synthesis": {"affected_systems": "All instances of the Survey Maker plugin installed on WordPress sites that are running version 5.1.9.4 or earlier are affected. The vulnerability is present in each version up to and including 5.1.9.4 of the plugin, regardless of the WordPress core version.", "description_and_impact": "The Survey Maker plugin for WordPress contains a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to 5.1.9.4. This flaw allows unauthenticated users to retrieve all survey submissions through the exposed endpoint. As a result, attacker confidentiality can be breached, allowing disclosure of potentially sensitive survey data without authentication or authorization.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, so there is no current evidence of known exploitation. However, because the attack vector is a public web\u2011facing AJAX endpoint and is exploitable without authentication, the risk to sites that are exposed to the internet remains real. The impact is limited to information disclosure; there is no known path to code execution or denial of service."}}}}, "created": "2025-11-13T09:52:04.107267+00:00", "updated": "2026-04-21T18:30:27.582810+00:00", "vendors": ["ays-pro", "ays-pro$PRODUCT$survey_maker", "wordpress", "wordpress$PRODUCT$wordpress"]}