The vulnerability CVE-2025-13140 affects the SurveyJS: Drag & Drop WordPress Form Builder plugin, which is widely used to create and embed complex forms in WordPress sites. The issue is a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352, caused by the absence of nonce validation on the AJAX action SurveyJS_DeleteSurvey. Nonce validation is a security mechanism used in WordPress to verify that requests are intentional and originate from legitimate users. Without this protection, attackers can craft malicious links or web pages that, when visited or clicked by an authenticated site administrator, trigger the deletion of surveys without their consent. The vulnerability does not require the attacker to be authenticated, but it does require the administrator to interact with the malicious content (user interaction). The impact is limited to the integrity of survey data, as attackers can delete surveys, potentially disrupting business processes or data collection efforts. Confidentiality and availability are not directly impacted. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that the attack can be launched remotely with low complexity, no privileges required, but requires user interaction and affects integrity only. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly to prevent exploitation.

For European organizations, the primary impact is the potential loss or manipulation of survey data, which can affect decision-making, customer feedback collection, and compliance reporting. Organizations relying on SurveyJS forms for regulatory data collection or customer interactions may face operational disruptions and reputational damage if surveys are deleted unexpectedly. While the vulnerability does not expose sensitive data directly, the integrity loss can undermine trust in the data and lead to additional costs for data recovery or re-collection. Since the attack requires administrator interaction, social engineering risks increase, necessitating heightened awareness among staff. The impact is more pronounced in sectors with heavy reliance on digital forms, such as public administration, healthcare, and market research firms across Europe.

1. Monitor for updates from devsoftbaltic and apply patches immediately once available to address nonce validation issues. 2. Implement manual nonce validation on the SurveyJS_DeleteSurvey AJAX action if patching is delayed, by customizing the plugin or using WordPress hooks to enforce nonce checks. 3. Educate WordPress administrators and site managers about the risks of clicking unknown or suspicious links, especially when logged into administrative accounts. 4. Employ Content Security Policy (CSP) headers and SameSite cookie attributes to reduce CSRF risks. 5. Regularly audit WordPress plugins for security compliance and minimize the use of unnecessary plugins. 6. Use multi-factor authentication (MFA) for WordPress admin accounts to reduce the risk of account compromise. 7. Implement web application firewalls (WAF) with CSRF protection rules to detect and block suspicious requests targeting AJAX endpoints.