CVE-2025-12891 is a vulnerability identified in the ays-pro Survey Maker plugin for WordPress, specifically in all versions up to and including 5.1.9.4. The root cause is a missing authorization check on the AJAX endpoint 'ays_survey_show_results', which is intended to display survey results. Because the plugin fails to verify user capabilities before responding to requests on this endpoint, unauthenticated attackers can remotely access all survey submissions without any credentials or user interaction. This vulnerability is classified under CWE-862 (Missing Authorization), indicating a failure to enforce proper access controls. The CVSS 3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack can be performed remotely over the network with low attack complexity, no privileges, and no user interaction, impacting confidentiality only. No integrity or availability impacts are noted. At the time of disclosure, no patches or known exploits exist, but the vulnerability poses a risk of unauthorized data disclosure. Survey data may include personally identifiable information or sensitive responses, which could lead to privacy violations or reputational damage. The plugin is widely used in WordPress environments, making the attack surface significant. The vulnerability's exploitation is straightforward due to the lack of authentication requirements, increasing the risk of opportunistic attacks.

For European organizations, the unauthorized disclosure of survey submissions can lead to significant privacy and compliance issues, especially under GDPR regulations that mandate protection of personal data. Exposure of survey data could result in leakage of sensitive or personally identifiable information, undermining user trust and potentially causing legal and financial repercussions. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone is critical for organizations handling sensitive survey content, such as market research firms, healthcare providers, or public sector entities. The ease of exploitation and lack of authentication requirements increase the likelihood of automated scanning and data harvesting by malicious actors. Organizations relying on the ays-pro Survey Maker plugin in WordPress environments should consider this vulnerability a priority to address to avoid data breaches and regulatory penalties.

1. Immediately restrict access to the 'ays_survey_show_results' AJAX endpoint by implementing server-level access controls (e.g., IP whitelisting or authentication requirements) until an official patch is released. 2. Apply custom code to enforce capability checks on the AJAX endpoint, ensuring only authorized users can view survey results. 3. Disable or uninstall the ays-pro Survey Maker plugin if survey result access is not critical or if mitigation is not feasible. 4. Monitor web server logs for unusual or repeated access attempts to the vulnerable endpoint to detect potential exploitation attempts. 5. Keep WordPress core and all plugins updated, and subscribe to vendor security advisories for prompt patch application once available. 6. Conduct an audit of stored survey data to assess exposure risk and notify affected parties if sensitive data has been potentially accessed. 7. Consider deploying Web Application Firewalls (WAF) with custom rules to block unauthorized requests targeting the vulnerable endpoint. 8. Educate site administrators about the risks of using outdated plugins and the importance of timely updates and security reviews.