CVE-2025-13139 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the SurveyJS: Drag & Drop Form Builder plugin for WordPress, maintained by devsoftbaltic. This vulnerability affects all versions up to and including 1.12.20. The root cause is the absence of nonce validation on the AJAX action SurveyJS_AddSurvey, which is responsible for creating surveys within the plugin. Nonce validation is a security mechanism used in WordPress to verify that requests are intentional and originate from legitimate users. Without this validation, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), results in the creation of unauthorized surveys. The attack does not require the attacker to be authenticated but does require the victim administrator to perform an action, such as clicking a specially crafted URL. The vulnerability impacts the integrity of the WordPress site by allowing unauthorized content creation, which could be leveraged for phishing, misinformation, or other malicious activities. The CVSS v3.1 base score is 4.3, indicating medium severity, with the vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, meaning the attack can be performed remotely with low complexity, no privileges required, but requires user interaction and affects only integrity without impacting confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is on the integrity of affected WordPress sites using the SurveyJS plugin. Unauthorized creation of surveys could be used to inject malicious content, conduct phishing campaigns, or manipulate site data, potentially damaging the organization's reputation and trustworthiness. While the vulnerability does not directly affect confidentiality or availability, the unauthorized content could serve as a vector for further attacks or social engineering. Organizations relying on this plugin for survey collection or data gathering may face operational disruptions or data integrity issues. Since exploitation requires an administrator to interact with a malicious link, the risk is somewhat mitigated but remains significant in environments with less cautious administrative users. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known. Overall, the vulnerability poses a moderate risk to organizations, particularly those with high administrative user activity and reliance on the affected plugin.

To mitigate this vulnerability, organizations should immediately verify whether they use the SurveyJS: Drag & Drop Form Builder plugin and identify the version in use. If running a vulnerable version (up to 1.12.20), they should upgrade to a patched version once available or apply custom nonce validation on the SurveyJS_AddSurvey AJAX action to ensure requests are legitimate. In the absence of an official patch, administrators can implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the AJAX action. Additionally, educating site administrators about the risks of clicking unknown or suspicious links can reduce the likelihood of successful exploitation. Regularly auditing plugin usage and permissions, limiting administrative access, and monitoring logs for unusual survey creation activity can help detect and respond to potential exploitation attempts. Finally, subscribing to vendor and security advisories for updates on patches or further guidance is recommended.