Description
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted CSRF‑driven survey creation
Action: Apply patch
AI Analysis

Impact

The SurveyJS: Drag & Drop WordPress Form Builder plugin contains a Cross‑Site Request Forgery vulnerability in its SurveyJS_AddSurvey AJAX action. The flaw arises from a missing nonce check, allowing an attacker to forge a request that creates a new survey. The attacker requires no prior privileges; any user who can convince a site administrator to click a malicious link can trigger the vulnerability.

Affected Systems

All releases of SurveyJS: Drag & Drop WordPress Form Builder up to and including version 2.5.2, distributed by devsoftbaltic. WordPress sites that have this plugin installed and activated are vulnerable. The problem is localized to the plugin’s AJAX endpoint that handles new survey submissions.

Risk and Exploitability

The CVSS score of 4.3 denotes a low impact, and the EPSS score is less than 1 %, indicating a low likelihood of exploitation under normal conditions. Nevertheless, the vulnerability can be triggered in a typical web browser, enabling unauthenticated CSRF to add a survey. It is not listed in the CISA KEV catalog, but administrators should still patch promptly because the attack requires only a user‑friendly click on a crafted link.

Generated by OpenCVE AI on April 22, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SurveyJS: Drag & Drop WordPress Form Builder to a version newer than 2.5.2 that contains nonce validation for the SurveyJS_AddSurvey AJAX action.
  • If an upgrade is not immediately feasible, restrict unauthenticated access to the plugin’s AJAX endpoint by adding a check that only logged‑in administrators can execute SurveyJS_AddSurvey, or block the endpoint via .htaccess or a security plugin.
  • As a temporary workaround, disable the survey creation feature by editing the plugin source to comment out the AJAX handler for add_survey or by disabling the add_survey action in the plugin’s settings.

Generated by OpenCVE AI on April 22, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Creation SurveyJS: Drag & Drop WordPress Form Builder <= 2.5.2 - Cross-Site Request Forgery to Survey Creation
References

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Devsoftbaltic
Devsoftbaltic surveyjs Drag Drop Wordpress Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Devsoftbaltic
Devsoftbaltic surveyjs Drag Drop Wordpress Form Builder
Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Creation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Devsoftbaltic Surveyjs Drag Drop Wordpress Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:58.355Z

Reserved: 2025-11-13T18:49:37.998Z

Link: CVE-2025-13139

cve-icon Vulnrichment

Updated: 2026-01-26T17:46:55.835Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T09:15:50.647

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:45:20Z

Weaknesses