CVE-2025-12892 identifies a missing authorization vulnerability (CWE-862) in the ays-pro Survey Maker plugin for WordPress, present in all versions up to and including 5.1.9.4. The root cause is the absence of a capability check in the deactivate_plugin_option() function, which manages the ays_survey_maker_upgrade_plugin option. This flaw allows unauthenticated attackers to remotely update this plugin option without any privilege or user interaction. The vulnerability does not expose confidential data or cause denial of service but compromises the integrity of plugin settings, potentially enabling attackers to alter plugin behavior or facilitate further attacks. The CVSS v3.1 base score is 5.3, reflecting network attack vector, no privileges required, no user interaction, and impact limited to integrity. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress environments, making the vulnerability relevant to many websites globally. The lack of authorization checks in plugin option management is a critical security oversight that can lead to unauthorized configuration changes and potential downstream risks.

The primary impact of CVE-2025-12892 is unauthorized modification of plugin configuration data, which compromises the integrity of the affected WordPress site’s Survey Maker plugin settings. While confidentiality and availability are not directly affected, unauthorized changes could enable attackers to manipulate survey behavior, potentially injecting malicious content, redirecting users, or facilitating privilege escalation and further exploitation. Organizations relying on the Survey Maker plugin for data collection or user interaction may face risks of data manipulation or loss of trust from users. Since the vulnerability requires no authentication and can be exploited remotely, it increases the attack surface significantly. Although no known exploits exist in the wild currently, the vulnerability’s presence in a widely deployed WordPress plugin means that opportunistic attackers could develop exploits, leading to widespread impact. This could affect websites ranging from small businesses to large enterprises using WordPress for surveys, marketing, or customer feedback, potentially damaging reputation and operational integrity.

To mitigate CVE-2025-12892, organizations should immediately update the ays-pro Survey Maker plugin to a patched version once available. In the absence of an official patch, administrators should implement strict access controls on WordPress plugin management interfaces, restricting permissions to trusted administrators only. Reviewing and hardening WordPress user roles and capabilities can reduce the risk of unauthorized changes. Additionally, monitoring changes to plugin options and configuration files can help detect unauthorized modifications early. Employing Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting the deactivate_plugin_option() function or related endpoints can provide temporary protection. Regular security audits and vulnerability scanning focused on WordPress plugins should be conducted to identify and remediate similar authorization issues. Finally, educating site administrators about the risks of unauthorized plugin modifications and encouraging timely updates is critical to maintaining security.