CVE-2025-13194 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the SurveyJS: Drag & Drop Form Builder plugin for WordPress, versions up to and including 1.12.20. The vulnerability stems from the absence of nonce verification on the AJAX action 'SurveyJS_RenameSurvey', which is responsible for renaming surveys within the plugin. Nonce verification is a security mechanism in WordPress designed to ensure that requests are intentional and originate from legitimate users, preventing unauthorized actions triggered by third parties. Due to this missing verification, an attacker can craft a malicious request that, when executed by an authenticated administrator (for example, by clicking a specially crafted link), causes the renaming of surveys without the administrator’s consent. This attack does not require the attacker to be authenticated themselves but depends on social engineering to induce the administrator’s interaction. The vulnerability affects all versions of the plugin up to 1.12.20, with no patches currently available. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction, and impacts integrity only by allowing unauthorized modification of survey names. There is no impact on confidentiality or availability. No known exploits are reported in the wild at this time. The plugin is used to create and manage complex forms embedded in WordPress sites, making it a valuable target for attackers aiming to manipulate survey data or disrupt form management workflows.

The primary impact of this vulnerability is on the integrity of survey data managed through the affected plugin. An attacker can rename surveys without authorization, potentially causing confusion, misrepresentation of survey content, or disruption of data collection processes. While this does not directly compromise sensitive data confidentiality or site availability, it undermines trust in the accuracy and reliability of survey results. Organizations relying on SurveyJS for critical data collection, customer feedback, or internal processes may face operational disruptions or reputational damage if surveys are altered maliciously. Since exploitation requires tricking an administrator into clicking a link, the attack surface is limited but still significant in environments with multiple administrators or less security-aware personnel. The vulnerability could be leveraged as part of a broader attack chain, for example, to mislead users or administrators about survey content or to facilitate social engineering attacks. Given the widespread use of WordPress globally and the popularity of form builder plugins, many organizations, especially those in sectors relying on survey data (education, market research, customer service), could be affected.

To mitigate this vulnerability, organizations should immediately restrict administrative access to trusted personnel and implement strict user training to recognize and avoid phishing or social engineering attempts involving suspicious links. Administrators should avoid clicking on untrusted URLs while logged into WordPress dashboards. Monitoring and logging of AJAX actions related to survey management can help detect anomalous renaming activities. Until an official patch is released, consider disabling or removing the SurveyJS: Drag & Drop Form Builder plugin if it is not essential. Alternatively, implement custom nonce verification or request validation for the 'SurveyJS_RenameSurvey' AJAX action by modifying the plugin code to include WordPress nonce checks. Regularly update WordPress and all plugins once a patch becomes available. Employ web application firewalls (WAFs) capable of detecting and blocking CSRF attempts targeting AJAX endpoints. Finally, maintain backups of survey configurations and data to enable recovery in case of unauthorized modifications.