CVE-2025-13140 is a medium severity Cross-Site Request Forgery (CSRF) vulnerability affecting the SurveyJS: Drag & Drop WordPress Form Builder plugin, versions up to and including 1.12.20. The vulnerability stems from the absence of nonce validation on the AJAX action SurveyJS_DeleteSurvey, which is responsible for deleting surveys. Nonce validation is a security mechanism in WordPress that helps verify the legitimacy of requests to prevent unauthorized actions. Without this protection, an attacker can craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a specially crafted link), results in the deletion of surveys without the administrator's explicit consent. This attack vector does not require the attacker to be authenticated, but it does require user interaction from a privileged user. The vulnerability impacts the integrity of survey data by enabling unauthorized deletion but does not compromise confidentiality or availability. The CVSS 3.1 base score of 4.3 reflects the medium severity, considering the attack vector is network-based, requires no privileges, but does require user interaction. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The plugin is used to create, style, and embed complex forms within WordPress sites, making it a valuable target for attackers seeking to disrupt data collection or manipulate survey results.

The primary impact of this vulnerability is the unauthorized deletion of surveys, which compromises data integrity and can disrupt business processes relying on survey data. Organizations using the SurveyJS plugin for critical data collection, customer feedback, or internal assessments may face operational setbacks and loss of valuable information. Although the vulnerability does not directly expose sensitive data or cause denial of service, the loss of survey data can affect decision-making and customer trust. Attackers exploiting this vulnerability could also use it as a stepping stone for further social engineering attacks against site administrators. The requirement for user interaction limits mass exploitation but targeted attacks against high-value WordPress sites remain a concern. The absence of known exploits in the wild suggests limited current threat activity, but the vulnerability's presence in a popular WordPress plugin means it could become a vector for attacks if weaponized.

To mitigate this vulnerability, organizations should immediately update the SurveyJS plugin once a patch is released that includes proper nonce validation on the SurveyJS_DeleteSurvey AJAX action. Until a patch is available, administrators should implement the following measures: 1) Restrict administrative access to trusted networks and users to reduce exposure to phishing attempts. 2) Educate site administrators about the risks of clicking unsolicited or suspicious links, especially when logged into WordPress admin panels. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the SurveyJS_DeleteSurvey action. 4) Monitor logs for unusual deletion activity or unexpected AJAX calls related to survey management. 5) Consider temporarily disabling or limiting the use of the SurveyJS_DeleteSurvey functionality if feasible. 6) Enforce multi-factor authentication (MFA) for WordPress administrator accounts to reduce the risk of compromised credentials being leveraged in conjunction with CSRF attacks.