WP-Safety

SurveyJS: Drag & Drop Form Builder Security & Risk Analysis

wordpress.org/plugins/surveyjs

Drag & Drop Form Builder for WordPress

500 active installs v2.5.3 PHP 8.2+ WP 6.4+ Updated Jan 26, 2026
form-builderquizsurveysurvey-creatorsurvey-maker
89
A · Safe
CVEs total9
Unpatched0
Last CVEJan 23, 2026
Plugin page Download
Safety Verdict

Is SurveyJS: Drag & Drop Form Builder Safe to Use in 2026?

Generally Safe

Score 89/100

SurveyJS: Drag & Drop Form Builder has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Jan 23, 2026Updated 2mo ago
Risk Assessment

The SurveyJS plugin v2.5.3 exhibits a mixed security posture. On the positive side, the static analysis reveals a good implementation of security best practices, with a high percentage of SQL queries using prepared statements and output escaping. The plugin also demonstrates a robust use of nonces and capability checks across its code signals. The total entry points are minimal, and critically, all identified entry points appear to be protected, suggesting a strong defensive design against direct access vulnerabilities. Furthermore, the absence of critical or high severity taint flows and dangerous functions is a very encouraging sign of secure coding.

However, the plugin's vulnerability history is a significant concern. With 9 known CVEs, including 2 high and 7 medium severity vulnerabilities, it indicates a recurring pattern of security flaws. The types of past vulnerabilities, such as CSRF, XSS, missing authorization, and unrestricted file uploads, suggest that attackers have previously found ways to exploit the plugin in various ways. While there are currently no unpatched CVEs, the historical prevalence of these issues raises questions about the overall robustness of the security development lifecycle for this plugin. The last vulnerability being recorded in the future (2026-01-23) is also an anomaly that needs further investigation but does not directly impact current risk based on provided data.

In conclusion, SurveyJS v2.5.3 has strong internal security measures like prepared statements and output escaping, with a low immediate attack surface. However, its extensive history of medium and high severity vulnerabilities is a considerable risk. Users should be aware that despite current lack of unpatched issues, the plugin has proven susceptible to various attacks in the past, demanding careful monitoring and prompt updates when new vulnerabilities are disclosed.

Key Concerns

  • History of 9 known CVEs
  • History of 2 high severity CVEs
  • History of 7 medium severity CVEs
  • File operations present
  • Bundled libraries (DataTables, jQuery)
Vulnerabilities
9

SurveyJS: Drag & Drop Form Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
5 CVEs in 2025
2025
3 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
7

9 total CVEs

CVE-2025-13205medium · 4.3Cross-Site Request Forgery (CSRF)

SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 2.5.2 - Cross-Site Request Forgery to Survey Cloning

Jan 23, 2026 Patched in 2.5.3 (11d)
CVE-2025-13194medium · 4.3Cross-Site Request Forgery (CSRF)

SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 2.5.2 - Cross-Site Request Forgery to Survey Renaming

Jan 23, 2026 Patched in 2.5.3 (11d)
CVE-2025-13139medium · 4.3Cross-Site Request Forgery (CSRF)

SurveyJS: Drag & Drop WordPress Form Builder <= 2.5.2 - Cross-Site Request Forgery to Survey Creation

Jan 23, 2026 Patched in 2.5.3 (11d)
CVE-2025-13140medium · 4.3Cross-Site Request Forgery (CSRF)

SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Deletion

Dec 1, 2025 Patched in 1.20.27 (1d)
CVE-2025-3815medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SurveyJS <= 1.12.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

May 2, 2025 Patched in 1.12.33 (1d)
CVE-2025-32167medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SurveyJS <= 1.12.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 4, 2025 Patched in 1.12.57 (260d)
CVE-2025-32256medium · 5.3Missing Authorization

SurveyJS <= 1.12.20 - Missing Authorization

Apr 4, 2025 Patched in 1.12.57 (260d)
CVE-2024-12544high · 8.8Missing Authorization

SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion via SurveyJS_DeleteFile

Feb 28, 2025 Patched in 1.12.18 (1d)
CVE-2024-50427high · 8.8Unrestricted Upload of File with Dangerous Type

SurveyJS: Drag & Drop WordPress Form Builder <= 1.9.136 - Authenticated (Subscriber+) Arbitrary File Upload

Oct 24, 2024 Patched in 1.12.4 (7d)
Code Analysis
Analyzed Mar 16, 2026

SurveyJS: Drag & Drop Form Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
11 prepared
Unescaped Output
8
149 escaped
Nonce Checks
12
Capability Checks
9
File Operations
1
External Requests
0
Bundled Libraries
2

Bundled Libraries

DataTablesjQuery

SQL Query Safety

85% prepared13 total queries

Output Escaping

95% escaped157 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths
render (views\results.php:9)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

SurveyJS: Drag & Drop Form Builder Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[Survey] initializer.php:19
WordPress Hooks 6
actionadmin_menuinitializer.php:17
filtermedia_buttonsinitializer.php:18
actionwp_enqueue_scriptsinitializer.php:22
actionadmin_enqueue_scriptsinitializer.php:23
actioninitinitializer.php:25
actionadmin_initviews\settings.php:11
Maintenance & Trust

SurveyJS: Drag & Drop Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 26, 2026
PHP min version8.2
Downloads14K

Community Trust

Rating94/100
Number of ratings3
Active installs500
Alternatives

SurveyJS: Drag & Drop Form Builder Alternatives

involve.me – Create Surveys, Quizzes, Calculators & Forms as Embedded Widgets or Pop-ups

involve.me – Create Surveys, Quizzes, Calculators & Forms as Embedded Widgets or Pop-ups

involve-me

A
92

Add forms, quizzes, surveys and interactive calculators to your WordPress site. Easily embed or use as pop-ups. No coding required.

400 No CVEs
Riddle Quiz Maker – easily add quizzes with unlimited lead generation to your site

Riddle Quiz Maker – easily add quizzes with unlimited lead generation to your site

riddle-playful-content-on-the-go

A
100

Riddle’s beautifully intuitive quiz maker lets you create unlimited quizzes, personality tests, and more—no coding, no limits.

300 No CVEs
Yay! Forms

Yay! Forms

yayforms

A
91

Embed custom forms, surveys, and quizzes into your WordPress site with ease.

100 1 CVE
WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms

wpeform-lite

A
85

Drag and Drop Live Form Builder with landing page, cost estimation, quizzes, personality tests, surveys, data collection and user feedback of all kind

40 No CVEs
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

formidable

B
76

The most advanced WordPress forms plugin. Go beyond contact forms with our drag and drop form builder for surveys, quizzes, and more.

300K 23 CVEs
Developer Profile

SurveyJS: Drag & Drop Form Builder Developer Profile

devsoftbaltic

1 plugin · 500 total installs

80
trust score
Avg Security Score
89/100
Avg Patch Time
63 days
View full developer profile
Detection Fingerprints

How We Detect SurveyJS: Drag & Drop Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/surveyjs/libs/bootstrap.min.css/wp-content/plugins/surveyjs/index.css/wp-content/plugins/surveyjs/libs/babel.min.js/wp-content/plugins/surveyjs/libs/library/survey.core.min.js/wp-content/plugins/surveyjs/libs/library/survey.i18n.min.js/wp-content/plugins/surveyjs/libs/library/themes/index.min.js/wp-content/plugins/surveyjs/libs/library/survey-react-ui.min.js/wp-content/plugins/surveyjs/libs/creator/survey-creator-core.min.js+7 more
Script Paths
/wp-content/plugins/surveyjs/block/block.js
Version Parameters
surveyjs/libs/bootstrap.min.css?ver=surveyjs/index.css?ver=surveyjs/libs/babel.min.js?ver=surveyjs/libs/library/survey.core.min.js?ver=surveyjs/libs/library/survey.i18n.min.js?ver=surveyjs/libs/library/themes/index.min.js?ver=surveyjs/libs/library/survey-react-ui.min.js?ver=surveyjs/libs/creator/survey-creator-core.min.js?ver=surveyjs/libs/creator/survey-creator-core.i18n.min.js?ver=surveyjs/libs/creator/survey-creator-react.min.js?ver=surveyjs/libs/library/defaultV2.min.css?ver=surveyjs/libs/creator/survey-creator-core.min.css?ver=surveyjs/libs/datatables/dataTables.min.css?ver=surveyjs/libs/datatables/dataTables.min.js?ver=surveyjs/libs/datatables/dataTables.buttons.min.js?ver=surveyjs/block/block.js?ver=

HTML / DOM Fingerprints

CSS Classes
surveyjs-reactsv-rootsv-container-paddingsv-titlesv-descriptionsv-bodysv-questionsv-panel+202 more
HTML Comments
<!-- surveyjs-react --><!-- SurveyJS -->
Data Attributes
data-surveyjs-iddata-surveyjs-previewdata-surveyjs-themedata-surveyjs-mode
JS Globals
surveyJsCreatorSurveysurveys
REST Endpoints
/wp-json/surveyjs/v1/surveys/wp-json/surveyjs/v1/surveys/(?P<id>\d+)/wp-json/surveyjs/v1/results/wp-json/surveyjs/v1/results/(?P<id>\d+)/wp-json/surveyjs/v1/upload/wp-json/surveyjs/v1/files/(?P<id>\d+)
Shortcode Output
[Survey surveyid=
FAQ

Frequently Asked Questions about SurveyJS: Drag & Drop Form Builder