{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13139", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-13T18:49:37.998Z", "datePublished": "2026-01-24T09:08:05.683Z", "dateUpdated": "2026-04-08T16:34:58.355Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:58.355Z"}, "affected": [{"vendor": "devsoftbaltic", "product": "SurveyJS: Drag & Drop Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "SurveyJS: Drag & Drop WordPress Form Builder <= 2.5.2 - Cross-Site Request Forgery to Survey Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c06880e-06cc-4204-a031-355de4de3af2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/add_survey.php#L12"}, {"url": "https://plugins.trac.wordpress.org/changeset/3446910/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-01-23T20:33:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T17:46:51.891194Z", "id": "CVE-2025-13139", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:46:58.712Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T17:46:51.891194Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:46:55.835Z"}}], "cna": {"title": "SurveyJS: Drag & Drop WordPress Form Builder <= 2.5.2 - Cross-Site Request Forgery to Survey Creation", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "devsoftbaltic", "product": "SurveyJS: Drag & Drop Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T20:33:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c06880e-06cc-4204-a031-355de4de3af2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/add_survey.php#L12"}, {"url": "https://plugins.trac.wordpress.org/changeset/3446910/"}], "descriptions": [{"lang": "en", "value": "The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:58.355Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13139", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:58.355Z", "dateReserved": "2025-11-13T18:49:37.998Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T09:08:05.683Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin SurveyJS: Drag &amp; Drop WordPress Form Builder para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.12.20, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la acci\u00f3n AJAX SurveyJS_AddSurvey. Esto hace posible que atacantes no autenticados creen encuestas a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-13139", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T09:15:50.647", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/add_survey.php#L12"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3446910/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c06880e-06cc-4204-a031-355de4de3af2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:36:33.410574+00:00", "value": {"mitigation_remediation": ["Upgrade SurveyJS: Drag & Drop WordPress Form Builder to a version newer than 2.5.2 that contains nonce validation for the SurveyJS_AddSurvey AJAX action.", "If an upgrade is not immediately feasible, restrict unauthenticated access to the plugin\u2019s AJAX endpoint by adding a check that only logged\u2011in administrators can execute SurveyJS_AddSurvey, or block the endpoint via .htaccess or a security plugin.", "As a temporary workaround, disable the survey creation feature by editing the plugin source to comment out the AJAX handler for add_survey or by disabling the add_survey action in the plugin\u2019s settings."], "summary": {"action": "Apply patch", "impact": "Unrestricted CSRF\u2011driven survey creation"}, "threat_synthesis": {"affected_systems": "All releases of SurveyJS: Drag & Drop WordPress Form Builder up to and including version 2.5.2, distributed by devsoftbaltic. WordPress sites that have this plugin installed and activated are vulnerable. The problem is localized to the plugin\u2019s AJAX endpoint that handles new survey submissions.", "description_and_impact": "The SurveyJS: Drag & Drop WordPress Form Builder plugin contains a Cross\u2011Site Request Forgery vulnerability in its SurveyJS_AddSurvey AJAX action. The flaw arises from a missing nonce check, allowing an attacker to forge a request that creates a new survey. The attacker requires no prior privileges; any user who can convince a site administrator to click a malicious link can trigger the vulnerability.", "risk_and_exploitability": "The CVSS score of 4.3 denotes a low impact, and the EPSS score is less than 1\u202f%, indicating a low likelihood of exploitation under normal conditions. Nevertheless, the vulnerability can be triggered in a typical web browser, enabling unauthenticated CSRF to add a survey. It is not listed in the CISA KEV catalog, but administrators should still patch promptly because the attack requires only a user\u2011friendly click on a crafted link."}}}}, "created": "2026-01-26T11:48:27.473487+00:00", "updated": "2026-04-22T15:45:20.869932+00:00", "vendors": ["devsoftbaltic", "devsoftbaltic$PRODUCT$surveyjs_drag_drop_wordpress_form_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}