CVE-2025-12891 identifies a missing authorization vulnerability (CWE-862) in the ays-pro Survey Maker plugin for WordPress, present in all versions up to and including 5.1.9.4. The vulnerability stems from the absence of a capability check on the 'ays_survey_show_results' AJAX endpoint, which is responsible for displaying survey results. Because this endpoint does not verify whether the requester is authorized, unauthenticated attackers can invoke it remotely to retrieve all survey submissions stored by the plugin. The vulnerability does not require any authentication or user interaction, making it trivially exploitable over the network. The impact is limited to confidentiality, as attackers can view survey data but cannot modify or disrupt the service. The CVSS v3.1 base score is 5.3 (medium), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on confidentiality only. No patches were available at the time of disclosure, and no known exploits have been reported in the wild. The vulnerability poses a significant privacy risk, especially for organizations collecting sensitive or personal data via surveys. The technical root cause is a missing authorization check on an AJAX endpoint, a common issue in WordPress plugins that can lead to data leakage. Detection involves reviewing access logs for suspicious calls to the AJAX endpoint and inspecting plugin code for missing capability checks. Remediation requires vendor patches or manual code fixes to enforce proper authorization before returning survey results.

For European organizations, the primary impact of CVE-2025-12891 is unauthorized disclosure of survey submission data, which may include personal or sensitive information depending on the survey content. This exposure can lead to privacy violations, non-compliance with GDPR and other data protection regulations, reputational damage, and potential legal consequences. Organizations in sectors such as healthcare, education, market research, and government that rely on survey data are particularly at risk. The vulnerability does not affect data integrity or availability, so operational disruption is unlikely. However, the ease of exploitation without authentication increases the risk of widespread data leakage if the plugin is widely deployed. European entities using WordPress sites with the ays-pro Survey Maker plugin should consider the sensitivity of their survey data and the potential fallout from unauthorized access. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits post-disclosure.

1. Apply official patches from the ays-pro vendor immediately once available to enforce proper authorization on the 'ays_survey_show_results' AJAX endpoint. 2. Until patches are released, restrict access to the AJAX endpoint via web application firewalls (WAFs) or server-level access controls (e.g., IP whitelisting, authentication gateways) to prevent unauthenticated external access. 3. Audit all survey data collected through the plugin to identify sensitive information and consider removing or anonymizing data where possible. 4. Monitor web server and WordPress logs for unusual or repeated access attempts to the vulnerable AJAX endpoint. 5. Review and harden WordPress plugin permissions and user roles to minimize exposure. 6. Consider disabling or replacing the Survey Maker plugin if immediate patching or controls are not feasible. 7. Educate site administrators about the risks of missing authorization checks in plugins and encourage regular plugin updates and security reviews. 8. Implement network segmentation and least privilege principles to limit exposure of WordPress backend services.