CVE-2025-12892 is a vulnerability identified in the ays-pro Survey Maker plugin for WordPress, affecting all versions up to and including 5.1.9.4. The root cause is a missing authorization check (CWE-862) in the deactivate_plugin_option() function, which is responsible for modifying plugin options. This flaw allows unauthenticated attackers to update the ays_survey_maker_upgrade_plugin option without any capability verification, effectively enabling unauthorized modification of plugin configuration data. The vulnerability is exploitable remotely over the network without requiring any user interaction or authentication, increasing its attack surface. The impact is limited to integrity as attackers can alter plugin options, potentially leading to altered plugin behavior or enabling further attacks if combined with other vulnerabilities. However, the vulnerability does not directly compromise confidentiality or availability. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation and limited impact scope. No known public exploits or patches are available at the time of disclosure, which increases the risk window for organizations using this plugin. The plugin is commonly used in WordPress environments, which are widely deployed across many sectors, including business, education, and government websites.

For European organizations, this vulnerability poses a risk primarily to the integrity of WordPress sites using the ays-pro Survey Maker plugin. Unauthorized modification of plugin options could lead to altered survey behavior, potential data manipulation, or the introduction of malicious configurations that might facilitate further exploitation or data collection abuse. Public-facing websites are particularly vulnerable since the exploit requires no authentication. While the direct impact on confidentiality and availability is low, the integrity compromise could undermine trust in survey data and potentially affect decision-making processes relying on such data. Organizations in sectors like education, market research, and public administration that use surveys extensively may face reputational damage or operational disruption. The lack of patches increases exposure time, and attackers could chain this vulnerability with others to escalate privileges or execute further attacks.

1. Monitor official channels of the ays-pro Survey Maker plugin for security updates and apply patches promptly once available. 2. Restrict access to WordPress administrative endpoints using IP whitelisting or VPNs to limit exposure to unauthenticated requests. 3. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized attempts to invoke deactivate_plugin_option() or modify plugin options. 4. Regularly audit WordPress plugin configurations and logs for unauthorized changes or suspicious activity. 5. Consider disabling or replacing the Survey Maker plugin if immediate patching is not feasible, especially on high-risk or public-facing sites. 6. Implement least privilege principles for WordPress user roles to minimize potential damage from compromised plugins. 7. Educate site administrators about this vulnerability and encourage vigilance against unusual plugin behavior or site anomalies.