CVE-2025-13139: SurveyJS WordPress Plugin CSRF Vulnerability

CVE-2025-13139 Overview

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.12.20. The vulnerability exists due to missing nonce validation on the SurveyJS_AddSurvey AJAX action, allowing unauthenticated attackers to create surveys via forged requests when they can successfully trick a site administrator into clicking a malicious link.

Critical Impact

Attackers can manipulate WordPress administrators into unknowingly creating arbitrary surveys on their sites, potentially leading to spam content injection, phishing campaigns, or unauthorized data collection through malicious form fields.

Affected Products

• SurveyJS: Drag & Drop WordPress Form Builder plugin versions up to and including 1.12.20
• WordPress sites using the vulnerable SurveyJS plugin versions
• Any WordPress installation with the SurveyJS plugin active

Discovery Timeline

• 2026-01-24 - CVE CVE-2025-13139 published to NVD
• 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-13139

Vulnerability Analysis

This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The SurveyJS plugin fails to implement proper nonce verification on its AJAX endpoint responsible for survey creation. WordPress nonces are security tokens that help protect against CSRF attacks by ensuring that requests originate from legitimate authenticated sessions.

Without nonce validation, the SurveyJS_AddSurvey AJAX action accepts and processes requests without verifying they came from the intended administrative interface. This allows an attacker to craft a malicious webpage or link that, when visited by an authenticated administrator, silently sends a request to create a new survey on the victim's WordPress site.

Root Cause

The root cause of this vulnerability lies in the add_survey.php AJAX handler at line 12 of the plugin code. The handler processes survey creation requests without calling wp_verify_nonce() or check_ajax_referer() functions, which are WordPress's built-in CSRF protection mechanisms. This oversight means the endpoint trusts any incoming request as long as the user has an active administrative session, regardless of where the request originated.

Attack Vector

The attack requires network access and user interaction. An attacker must craft a malicious HTML page containing a hidden form or JavaScript that submits a POST request to the vulnerable AJAX endpoint. When an authenticated WordPress administrator visits this malicious page, their browser automatically includes session cookies, causing the forged request to execute with administrative privileges.

The attack flow involves hosting a malicious page that contains form data targeting admin-ajax.php with the SurveyJS_AddSurvey action. When the administrator clicks a link or visits a page containing the malicious code, the survey creation request is sent using their authenticated session. For technical implementation details, see the WordPress SurveyJS AJAX Handler source code.

Detection Methods for CVE-2025-13139

Indicators of Compromise

• Unexpected or unfamiliar surveys appearing in the SurveyJS plugin dashboard
• Survey entries created at unusual times when administrators were not actively working
• HTTP access logs showing POST requests to admin-ajax.php with action=SurveyJS_AddSurvey from external referrers
• Survey content containing suspicious links, phishing elements, or data collection fields not created by legitimate administrators

Detection Strategies

• Monitor WordPress access logs for admin-ajax.php requests with the SurveyJS_AddSurvey action parameter
• Implement Web Application Firewall (WAF) rules to flag AJAX requests with external or suspicious referrer headers
• Enable audit logging plugins to track survey creation events and correlate with administrator activity
• Review SurveyJS database tables for entries that don't match expected administrative workflows

Monitoring Recommendations

• Configure real-time alerts for new survey creation events in WordPress
• Implement referrer validation logging at the web server level for administrative endpoints
• Deploy SentinelOne Singularity to monitor for suspicious browser-based attack patterns targeting WordPress installations
• Schedule periodic audits of SurveyJS plugin content to identify unauthorized surveys

How to Mitigate CVE-2025-13139

Immediate Actions Required

• Update the SurveyJS: Drag & Drop WordPress Form Builder plugin to a version newer than 1.12.20 that includes the security fix
• Audit existing surveys in the SurveyJS dashboard for any unauthorized or suspicious entries
• Educate site administrators about phishing risks and avoiding clicking on untrusted links while logged into WordPress
• Consider temporarily deactivating the plugin until the update can be applied if immediate patching is not possible

Patch Information

Organizations should update to the latest patched version of the SurveyJS plugin through the WordPress admin dashboard or by downloading directly from the WordPress plugin repository. The fix involves adding proper nonce validation to the SurveyJS_AddSurvey AJAX handler. For detailed vulnerability information, see the Wordfence Vulnerability Analysis.

Workarounds

• Implement a Web Application Firewall (WAF) rule to validate referrer headers on requests to admin-ajax.php with SurveyJS actions
• Restrict administrative access to the WordPress dashboard by IP address using .htaccess or server configuration
• Use browser extensions or security policies that block cross-origin form submissions for WordPress administrators
• Deploy SentinelOne Singularity XDR for endpoint protection to detect and block CSRF attack patterns targeting web applications

# Apache .htaccess workaround to restrict admin-ajax.php access by referrer
<Files "admin-ajax.php">
    SetEnvIf Referer "^https://yourdomain\.com/" local_ref=1
    Order Deny,Allow
    Deny from all
    Allow from env=local_ref
</Files>