The SurveyJS Drag & Drop WordPress Form Builder plugin, developed by devsoftbaltic, suffers from a critical authorization bypass vulnerability identified as CVE-2024-12544 (CWE-862). The core issue is a missing capability check in the callback function of the SurveyJS_DeleteFile class, which handles file deletion requests. This flaw allows any authenticated user with at least Subscriber-level privileges to delete arbitrary files on the hosting server. Since WordPress Subscriber roles are typically assigned to minimally privileged users, this significantly lowers the attack barrier. The deletion of sensitive files such as wp-config.php can lead to remote code execution, enabling attackers to take full control of the WordPress site and underlying server. Additionally, the function is vulnerable to CSRF attacks as of version 1.12.20, meaning attackers can trick authenticated users into executing unwanted file deletions. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required beyond authentication. No official patches or fixes have been linked yet, increasing the urgency for administrators to apply workarounds or restrict access until a patch is released.

This vulnerability poses a severe risk to organizations running WordPress sites with the affected SurveyJS plugin. Attackers with minimal privileges can delete critical files, potentially causing site outages, data loss, and enabling remote code execution. This can lead to full site compromise, data breaches, defacement, or use of the site as a pivot point for further network attacks. The ease of exploitation and the low privilege required make it attractive for attackers, including insider threats or compromised accounts. The CSRF vulnerability further expands the attack surface by allowing exploitation through social engineering. Organizations relying on this plugin for form building and data collection face operational disruption and reputational damage if exploited. The lack of known exploits in the wild currently provides a window for mitigation, but the risk remains high due to the vulnerability's nature.

1. Immediately restrict access to the WordPress admin area and limit Subscriber-level permissions to trusted users only. 2. Disable or uninstall the SurveyJS plugin until a security patch is released. 3. Monitor server and WordPress logs for unusual file deletion activities, especially targeting critical files like wp-config.php. 4. Implement Web Application Firewall (WAF) rules to detect and block unauthorized file deletion requests and CSRF attempts targeting the plugin's endpoints. 5. Enforce multi-factor authentication (MFA) for all WordPress accounts to reduce the risk of account compromise. 6. Regularly back up WordPress files and databases to enable rapid recovery in case of file deletion or site compromise. 7. Follow devsoftbaltic and WordPress security advisories closely for official patches and apply them promptly once available. 8. Consider deploying security plugins that enforce capability checks and harden file permissions on the server to mitigate unauthorized deletions.