CVE-2025-13194 Overview
CVE-2025-13194 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the SurveyJS: Drag & Drop WordPress Form Builder plugin, a popular tool used to create, style, and embed multiple forms of any complexity on WordPress sites. The vulnerability exists in all versions up to and including 1.12.20 and stems from missing nonce verification on the SurveyJS_RenameSurvey AJAX action.
This security flaw allows unauthenticated attackers to rename surveys via forged requests, provided they can trick a site administrator into performing an action such as clicking on a malicious link. While the direct impact is limited to survey manipulation, successful exploitation could lead to confusion, disruption of form workflows, or be chained with other attacks for broader impact.
Critical Impact
Unauthenticated attackers can manipulate survey names through CSRF attacks, potentially disrupting site operations and user trust when administrators are socially engineered into clicking malicious links.
Affected Products
- SurveyJS: Drag & Drop WordPress Form Builder plugin versions ≤ 1.12.20
- WordPress installations using the vulnerable SurveyJS plugin
- Any website forms created and managed through the affected plugin versions
Discovery Timeline
- 2026-01-24 - CVE CVE-2025-13194 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-13194
Vulnerability Analysis
The vulnerability resides in the AJAX handler responsible for renaming surveys within the SurveyJS WordPress plugin. Specifically, the SurveyJS_RenameSurvey AJAX action fails to implement proper nonce verification, a standard WordPress security mechanism designed to protect against CSRF attacks.
In WordPress, nonces (number used once) are security tokens that validate whether a request originated from the actual site and was initiated by a logged-in user with appropriate privileges. When these tokens are missing or not properly verified, attackers can craft malicious requests that execute actions on behalf of authenticated users without their knowledge or consent.
The attack requires user interaction—specifically, an administrator must be tricked into clicking a link or visiting a page containing the malicious request. This social engineering component is typical of CSRF vulnerabilities and is reflected in the attack vector requiring user interaction.
Root Cause
The root cause of CVE-2025-13194 is the absence of nonce verification in the rename_survey.php AJAX handler. WordPress provides the wp_verify_nonce() and check_ajax_referer() functions specifically to validate that requests originate from legitimate sources. The vulnerable code at line 12 of the rename_survey.php file processes the rename request without first confirming the request's authenticity through these security mechanisms.
This oversight allows any request—including those forged by attackers—to be processed as if it were a legitimate administrative action, provided the victim has an active authenticated session with the WordPress site.
Attack Vector
The attack vector for this vulnerability is network-based and requires user interaction. An attacker would craft a malicious HTML page or link containing a forged request to the vulnerable AJAX endpoint. The attack flow typically follows this pattern:
- The attacker identifies a WordPress site using a vulnerable version of the SurveyJS plugin
- The attacker crafts a malicious page containing a hidden form or JavaScript that submits a request to the SurveyJS_RenameSurvey AJAX action
- The attacker tricks a logged-in site administrator into visiting the malicious page
- The administrator's browser automatically sends the forged request along with their valid session cookies
- The WordPress site processes the request, renaming the targeted survey without proper authorization verification
The vulnerability can be exploited through various delivery mechanisms including phishing emails, malicious advertisements, or compromised legitimate websites. Technical details of the vulnerable code can be found in the WordPress Plugin Code Review.
Detection Methods for CVE-2025-13194
Indicators of Compromise
- Unexpected changes to survey names in the SurveyJS plugin administration panel
- Suspicious referrer headers in web server logs pointing to external domains for AJAX requests to admin-ajax.php with action=SurveyJS_RenameSurvey
- Administrator reports of clicking on unknown links shortly before survey modifications were detected
- Web application firewall logs showing blocked CSRF attempts targeting the SurveyJS endpoint
Detection Strategies
- Monitor WordPress AJAX request logs for SurveyJS_RenameSurvey actions with suspicious referrer headers
- Implement web application firewall rules to detect and block requests to the vulnerable endpoint from external origins
- Enable WordPress audit logging to track all survey modifications and correlate with administrator session activity
- Review server access logs for patterns consistent with CSRF exploitation attempts
Monitoring Recommendations
- Configure alerts for any survey rename operations occurring outside of normal administrative workflows
- Deploy endpoint detection solutions to identify and block social engineering attempts targeting administrators
- Implement real-time monitoring of WordPress plugin activities through security plugins like Wordfence
- Establish baseline activity patterns for SurveyJS administrative actions to identify anomalous behavior
How to Mitigate CVE-2025-13194
Immediate Actions Required
- Update the SurveyJS: Drag & Drop WordPress Form Builder plugin to a version newer than 1.12.20 that includes the security fix
- Audit recent survey modifications to identify any unauthorized changes that may have occurred prior to patching
- Educate site administrators about the risks of clicking unknown links while logged into the WordPress admin panel
- Consider temporarily disabling the plugin if an immediate update is not possible
Patch Information
The vulnerability was identified in SurveyJS plugin version 1.12.20 and earlier. Site administrators should update to the latest available version through the WordPress plugin repository. The fix involves implementing proper nonce verification on the SurveyJS_RenameSurvey AJAX action to validate request authenticity.
For detailed vulnerability analysis, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Implement a web application firewall (WAF) rule to block external requests to the SurveyJS_RenameSurvey AJAX action until patching is complete
- Restrict WordPress admin access to trusted IP addresses to reduce the attack surface
- Use browser extensions or security policies that block cross-origin form submissions for administrative sessions
- Temporarily deactivate the SurveyJS plugin if survey functionality is not critical to site operations
# WordPress CLI command to check current SurveyJS plugin version
wp plugin list --name=surveyjs --format=table
# Update the SurveyJS plugin to the latest version
wp plugin update surveyjs
# If update is not immediately available, deactivate the plugin temporarily
wp plugin deactivate surveyjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
