CVE-2025-13139 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the SurveyJS: Drag & Drop Form Builder WordPress plugin developed by devsoftbaltic. The vulnerability exists in all versions up to and including 1.12.20 due to the absence of nonce validation on the AJAX action SurveyJS_AddSurvey. Nonce validation is a security mechanism in WordPress that helps verify that requests are intentional and originate from legitimate users. Without this validation, attackers can craft malicious web requests that, when executed by an authenticated administrator (via clicking a link or visiting a crafted page), cause the creation of arbitrary surveys on the affected site. This flaw does not require the attacker to be authenticated but does require user interaction from an administrator, making exploitation less straightforward but still feasible. The vulnerability impacts the integrity of the site by allowing unauthorized content creation, which could be leveraged for further attacks such as phishing or social engineering. The CVSS 3.1 base score is 4.3 (medium), reflecting the network attack vector, low complexity, no privileges required, but requiring user interaction and limited impact on integrity only. No patches or exploits are currently documented, but the risk remains for sites running vulnerable plugin versions.

For European organizations, this vulnerability could lead to unauthorized creation of surveys on WordPress sites, potentially undermining trust in the affected web properties. While it does not directly compromise sensitive data confidentiality or site availability, the integrity impact could be significant if attackers use the surveys to collect misleading information, conduct phishing campaigns, or manipulate user interactions. Organizations relying on SurveyJS for customer feedback, internal surveys, or data collection could face reputational damage or operational disruption. Since WordPress is widely used across Europe, especially in small to medium enterprises and public sector websites, the exposure is notable. Attackers exploiting this vulnerability could also use the created surveys as a foothold for further attacks or social engineering campaigns targeting administrators or users. The lack of authentication requirement for the attacker increases the risk, although the need for administrator interaction somewhat limits large-scale automated exploitation.

Immediate mitigation involves updating the SurveyJS: Drag & Drop Form Builder plugin to a version that includes nonce validation on the SurveyJS_AddSurvey AJAX action once available. Until a patch is released, administrators should implement the following specific measures: 1) Restrict administrative access to trusted networks and users to reduce the risk of malicious link clicks. 2) Educate administrators about the risks of clicking untrusted links or visiting suspicious websites while logged into WordPress admin. 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting SurveyJS_AddSurvey actions. 4) Monitor logs for unusual survey creation activities or unexpected AJAX calls. 5) Consider temporarily disabling the SurveyJS plugin if survey functionality is not critical or can be deferred. 6) Implement Content Security Policy (CSP) headers to limit the execution of untrusted scripts that could facilitate CSRF attacks. These targeted actions go beyond generic advice and focus on reducing attack surface and exposure until a secure plugin version is deployed.