CVE-2025-13194 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the SurveyJS: Drag & Drop Form Builder plugin for WordPress, developed by devsoftbaltic. The vulnerability exists in all versions up to and including 1.12.20 due to the absence of nonce verification on the AJAX action 'SurveyJS_RenameSurvey'. Nonce verification is a security mechanism used in WordPress to ensure that requests are intentional and originate from authenticated users. Without this protection, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), causes the renaming of surveys without their consent. This attack vector requires no authentication on the attacker’s part but does require user interaction from a privileged user. The vulnerability impacts the integrity of the survey data by allowing unauthorized modifications but does not compromise confidentiality or availability. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the low complexity of the attack but limited impact scope. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability highlights the importance of implementing nonce checks on all AJAX actions that modify data in WordPress plugins to prevent CSRF attacks.

For European organizations, the primary impact is on the integrity of survey data managed through the vulnerable SurveyJS plugin. Unauthorized renaming of surveys could lead to confusion, misrepresentation of data collection efforts, or disruption of workflows relying on survey names. While this does not directly expose sensitive data or cause service outages, it undermines trust in survey results and could affect decision-making processes. Organizations using this plugin in sectors such as market research, public opinion polling, or internal feedback mechanisms may experience operational disruptions. Additionally, if attackers combine this vulnerability with social engineering, it could be a stepping stone for more complex attacks targeting administrative accounts. The risk is heightened in environments where administrators frequently interact with external content or links, increasing the chance of inadvertent exploitation.

To mitigate this vulnerability, organizations should first verify if they are using the SurveyJS: Drag & Drop Form Builder plugin version 1.12.20 or earlier. Immediate steps include updating the plugin to a version where nonce verification is implemented once available. In the absence of an official patch, administrators can implement manual nonce checks on the 'SurveyJS_RenameSurvey' AJAX action by customizing the plugin code or using WordPress hooks to enforce nonce validation. Additionally, organizations should educate administrators about the risks of clicking untrusted links and implement Content Security Policy (CSP) headers to reduce the risk of CSRF attacks. Employing web application firewalls (WAFs) with rules to detect and block suspicious AJAX requests targeting this action can provide temporary protection. Regular audits of plugin security and limiting administrative privileges to necessary personnel will further reduce exposure.