CVE-2025-12891 identifies a missing authorization vulnerability (CWE-862) in the ays-pro Survey Maker plugin for WordPress, specifically affecting all versions up to and including 5.1.9.4. The vulnerability resides in the 'ays_survey_show_results' AJAX endpoint, which lacks proper capability checks to verify if the requester is authorized to view survey results. This omission allows unauthenticated attackers to remotely access all survey submissions, potentially exposing sensitive or private data collected through surveys. The vulnerability does not impact data integrity or availability but compromises confidentiality. The attack vector is network-based, requiring no privileges or user interaction, making exploitation straightforward for an attacker aware of the endpoint. Although no public exploits or active exploitation have been reported, the widespread use of WordPress and the popularity of survey plugins increase the risk of future exploitation. The CVSS v3.1 base score is 5.3, reflecting a medium severity rating, with the vector string indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), confidentiality impact low (C:L), and no impact on integrity or availability (I:N/A:N). The vulnerability was published on November 13, 2025, and assigned by Wordfence. No patch links are currently available, indicating that users must monitor for updates or apply manual mitigations.

The primary impact of CVE-2025-12891 is the unauthorized disclosure of survey submission data, which can include personally identifiable information, opinions, or other sensitive responses collected by organizations. This breach of confidentiality can damage organizational reputation, violate privacy regulations such as GDPR or CCPA, and erode trust with survey participants. For organizations relying on survey data for decision-making, exposure of raw data may lead to competitive disadvantages or manipulation risks. Since the vulnerability does not affect data integrity or availability, the operational impact is limited to information disclosure. However, the ease of exploitation without authentication or user interaction increases the likelihood of opportunistic attacks, especially if attackers scan for vulnerable endpoints. Organizations worldwide using the ays-pro Survey Maker plugin are at risk, particularly those collecting sensitive or regulated data. The absence of known exploits in the wild currently limits immediate widespread damage but does not eliminate future risk.

1. Monitor the official ays-pro Survey Maker plugin channels and WordPress plugin repository for security updates or patches addressing CVE-2025-12891 and apply them promptly once available. 2. Until an official patch is released, implement web application firewall (WAF) rules to restrict access to the 'ays_survey_show_results' AJAX endpoint, allowing only trusted IP addresses or authenticated users to access it. 3. Review and harden WordPress user roles and permissions to minimize exposure of survey data and restrict plugin access to necessary personnel only. 4. Consider disabling or removing the Survey Maker plugin if survey functionality is not critical or if alternative secure survey tools are available. 5. Conduct regular security audits and penetration tests focusing on plugin endpoints to detect unauthorized access attempts. 6. Educate administrators on the risks of unauthorized data exposure and encourage prompt response to security advisories. 7. Implement logging and monitoring of AJAX endpoint access to detect anomalous or unauthorized requests early. These targeted mitigations go beyond generic advice by focusing on access control and monitoring specific to the vulnerable endpoint.