Description
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Impersonated administrative action: unauthorized survey renaming via CSRF
Action: Apply plugin update
AI Analysis

Impact

The SurveyJS WordPress plugin, up to version 2.5.2, lacks a nonce check on the 'SurveyJS_RenameSurvey' AJAX endpoint, creating a Cross‑Site Request Forgery flaw (CWE‑352). This missing verification allows an unauthenticated attacker to send a forged request that, when an administrator follows a crafted link, triggers the survey renaming operation. The primary consequence is the unauthorized alteration of survey data, potentially disrupting form workflows and misleading site visitors, but it does not provide code execution or broader system compromise.

Affected Systems

This vulnerability affects the devsoftbaltic SurveyJS: Drag & Drop Form Builder plugin for WordPress. All releases through and including 2.5.2 are impacted. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 4.3 indicates a low‑to‑medium impact level, rather than moderate, as per the CVE data. The EPSS score of below 1% indicates a currently low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is a typical CSRF scenario: the attacker convinces an authenticated admin to visit a crafted URL that submits the rename request. Because the action does not scan the request for a nonce, the server accepts it as legitimate, and the survey name is altered. Due to the necessity of an authenticated administrator and no additional privileges, the risk remains contained but still warrants attention.

Generated by OpenCVE AI on April 21, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SurveyJS plugin to the latest version that includes nonce verification for the rename action.
  • If an immediate plugin update is not feasible, restrict access to the 'SurveyJS_RenameSurvey' endpoint so that only logged‑in administrators can invoke it and block anonymous requests.
  • Add a custom WordPress filter or server rule to enforce CSRF token validation on the rename AJAX action until the official patch is applied.
  • Monitor the WP Admin dashboard or audit logs for unexpected survey name changes and alert site owners if such events occur.

Generated by OpenCVE AI on April 21, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 - Cross-Site Request Forgery to Survey Renaming SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 2.5.2 - Cross-Site Request Forgery to Survey Renaming
References

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Devsoftbaltic
Devsoftbaltic surveyjs Drag Drop Wordpress Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Devsoftbaltic
Devsoftbaltic surveyjs Drag Drop Wordpress Form Builder
Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 - Cross-Site Request Forgery to Survey Renaming
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Devsoftbaltic Surveyjs Drag Drop Wordpress Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:39.599Z

Reserved: 2025-11-14T15:37:10.643Z

Link: CVE-2025-13194

cve-icon Vulnrichment

Updated: 2026-01-26T17:39:37.858Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T09:15:51.713

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses