CVE-2025-13140 Overview
CVE-2025-13140 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress. The vulnerability exists in all versions up to and including 1.12.20 and stems from missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This security flaw enables unauthenticated attackers to delete surveys through forged requests, provided they can successfully trick a site administrator into performing an action such as clicking on a malicious link.
Critical Impact
Unauthenticated attackers can delete surveys via CSRF attacks, potentially causing data loss and disruption to WordPress sites using the SurveyJS plugin.
Affected Products
- SurveyJS: Drag & Drop WordPress Form Builder plugin versions ≤ 1.12.20
- WordPress installations with vulnerable SurveyJS plugin versions
Discovery Timeline
- 2025-12-02 - CVE-2025-13140 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-13140
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery) with a CVSS 3.1 score of 4.3 (Medium severity). The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N indicates:
- Attack Vector (AV:N): Network-based, exploitable remotely
- Attack Complexity (AC:L): Low complexity to execute
- Privileges Required (PR:N): No authentication needed
- User Interaction (UI:R): Requires user interaction (admin click)
- Scope (S:U): Unchanged scope
- Confidentiality (C:N): No confidentiality impact
- Integrity (I:L): Low integrity impact (data deletion)
- Availability (A:N): No availability impact
The EPSS (Exploit Prediction Scoring System) data shows a probability of 0.013% with a percentile of 1.419, indicating a relatively low likelihood of exploitation in the wild.
Root Cause
The root cause of this vulnerability lies in the delete_survey.php AJAX handler file located at ajax_handlers/delete_survey.php. The handler processes survey deletion requests without properly validating WordPress nonces—security tokens designed to protect against CSRF attacks. Without nonce verification, the application cannot distinguish between legitimate administrator actions and forged requests originating from attacker-controlled websites.
In WordPress, AJAX actions should implement nonce validation using functions like wp_verify_nonce() or check_ajax_referer() to ensure requests originate from authenticated sessions with proper authorization.
Attack Vector
The attack vector for CVE-2025-13140 follows a classic CSRF exploitation pattern:
- An attacker crafts a malicious webpage or email containing a hidden form or JavaScript that submits a request to the vulnerable SurveyJS_DeleteSurvey AJAX endpoint
- The attacker distributes this malicious content to target WordPress administrators
- When an authenticated administrator visits the attacker's page or clicks a malicious link while logged into their WordPress site, the forged request is automatically sent to the vulnerable endpoint
- Because the plugin lacks nonce validation, the request is processed as legitimate, resulting in survey deletion
- The attacker achieves unauthorized data deletion without ever authenticating to the target site
The vulnerability affects the network attack surface and requires no privileges, though user interaction (administrator action) is necessary for successful exploitation.
Detection Methods for CVE-2025-13140
Indicators of Compromise
- Unexpected survey deletions in WordPress admin logs without corresponding administrator activity
- HTTP POST requests to wp-admin/admin-ajax.php with action parameter SurveyJS_DeleteSurvey from unusual referrers
- Survey deletion events correlating with administrator browsing activity on external websites
- Referrer headers in access logs showing external domains for survey deletion requests
Detection Strategies
Organizations can implement the following detection strategies to identify potential exploitation attempts:
Web Application Firewall (WAF) Rules: Configure WAF rules to monitor AJAX requests targeting the SurveyJS_DeleteSurvey action, particularly those with suspicious or external referrer headers.
WordPress Activity Logging: Enable comprehensive activity logging plugins to track all survey deletions, including timestamps, source IPs, and associated user sessions. Correlate deletion events with actual administrator login sessions.
Referrer Header Analysis: Monitor access logs for requests to the vulnerable endpoint where the HTTP Referrer header points to external domains rather than the legitimate WordPress admin interface.
SentinelOne Singularity Platform: Organizations using SentinelOne can leverage endpoint detection capabilities to monitor for suspicious browser-based attacks targeting administrative sessions and detect anomalous web application behavior patterns.
Monitoring Recommendations
- Implement real-time alerting for survey deletion events outside normal administrative workflows
- Deploy web application firewall rules specifically targeting CSRF patterns against WordPress AJAX endpoints
- Enable WordPress debug logging temporarily to capture detailed request information during incident investigation
- Consider implementing Content Security Policy (CSP) headers to restrict form submissions to trusted origins
How to Mitigate CVE-2025-13140
Immediate Actions Required
- Update the SurveyJS: Drag & Drop WordPress Form Builder plugin to a version newer than 1.12.20 that includes the security fix
- Review WordPress activity logs for any unauthorized survey deletions
- Audit other installed WordPress plugins for similar CSRF vulnerabilities
- Educate site administrators about CSRF attack vectors and safe browsing practices while logged into WordPress
Patch Information
The vulnerability has been addressed in the WordPress plugin repository. The security fix is documented in changeset 3403869 which adds proper nonce validation to the delete_survey.php AJAX handler. Administrators should update through the WordPress admin dashboard or download the patched version directly from the WordPress Plugin Directory.
Reference: WordPress Plugin Changeset 3403869
Workarounds
If immediate patching is not possible, consider the following temporary mitigations:
- Temporarily deactivate the SurveyJS plugin until the update can be applied
- Implement additional WAF rules to block suspicious requests to the SurveyJS_DeleteSurvey endpoint
- Restrict WordPress admin access to trusted IP addresses only
- Use browser extensions that limit cross-origin requests when accessing the WordPress admin panel
- Ensure administrators log out of WordPress sessions when browsing external websites
For additional technical details, refer to the Wordfence vulnerability advisory.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
