Exploitation Research Plan: CVE-2025-13139 (SurveyJS CSRF)

1. Vulnerability Summary

The SurveyJS: Drag & Drop WordPress Form Builder plugin (<= 2.5.2) is vulnerable to Cross-Site Request Forgery (CSRF) via the SurveyJS_AddSurvey AJAX action. The vulnerability exists because the plugin fails to implement nonce validation (e.g., check_ajax_referer or wp_verify_nonce) in the handler function associated with this action. An unauthenticated attacker can create new surveys by tricking a logged-in administrator into submitting a forged request.

2. Attack Vector Analysis

• AJAX Action: SurveyJS_AddSurvey (inferred from CVE description).
• Endpoint: /wp-admin/admin-ajax.php
• HTTP Method: POST
• Authentication Requirement: The request must be executed in the context of an authenticated administrator (via CSRF).
• Vulnerable Parameter: The action parameter must be SurveyJS_AddSurvey. Other parameters likely include name (the survey title) and json (the survey configuration).
• Preconditions: The plugin must be active, and an administrator must be logged in.

3. Code Flow (Inferred)

1. Registration: The plugin registers the AJAX hook during initialization (likely in init or admin_init):
   add_action('wp_ajax_SurveyJS_AddSurvey', 'SurveyJS_AddSurvey_handler');
2. Trigger: An administrator visits a malicious page that auto-submits a POST request to admin-ajax.php with action=SurveyJS_AddSurvey.
3. Vulnerable Handler: The handler function (e.g., SurveyJS_AddSurvey_handler) processes the request.
4. Missing Check: The handler fails to call check_ajax_referer('...', '...').
5. Sink: The handler takes input from $_POST['name'] and $_POST['json'] and inserts it directly into the database (likely the {prefix}surveyjs_surveys table) using $wpdb->insert().

4. Nonce Acquisition Strategy

No nonce is required.
The essence of this CSRF vulnerability is the total absence of nonce validation for the SurveyJS_AddSurvey action. Unlike vulnerabilities where a nonce is present but leaky, this specific CVE identifies a missing check. Therefore, the exploit request can be constructed without any _wpnonce or security parameter.

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated attacker can force an administrator's browser to create a survey.

1. Identify Parameters: Confirm the exact names for the survey title and JSON data. Based on standard SurveyJS integrations, these are usually name and json.
2. Craft Payload:
   • action: SurveyJS_AddSurvey
   • name: CSRF_Exploit_Survey
   • json: {"pages":[{"name":"page1","elements":[{"type":"text","name":"question1"}]}]}
3. Simulate CSRF: Using the http_request tool, send a POST request to the target site using the administrator's cookies.

HTTP Request (as Admin)

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Admin Cookies]

action=SurveyJS_AddSurvey&name=Exploit_Survey_Title&json=%7B%22title%22%3A%22Hacked%22%7D

6. Test Data Setup

1. Install and activate SurveyJS: Drag & Drop WordPress Form Builder version 2.5.2.
2. Create an administrator user.
3. Obtain the administrator's session cookies (using browser_navigate and browser_eval or by inspecting the environment if provided).
4. Verify the database table exists: wp_surveyjs_surveys.

7. Expected Results

• The admin-ajax.php endpoint should return a 200 OK status.
• The response body should ideally be a JSON string like {"success":true} or an ID of the newly created survey.
• A new entry should appear in the WordPress database containing the name Exploit_Survey_Title.

8. Verification Steps

After sending the http_request, use wp-cli to verify the state of the database:

# List all surveys in the SurveyJS table
wp db query "SELECT id, name FROM $(wp db prefix)surveyjs_surveys WHERE name = 'Exploit_Survey_Title';"

If the query returns a row, the CSRF exploit was successful.

9. Alternative Approaches

If SurveyJS_AddSurvey is not the correct action name (though stated in the CVE), search the plugin directory for other potential AJAX actions:

grep -r "wp_ajax_" wp-content/plugins/surveyjs/

Check for actions related to "Save", "Add", or "Create". If the primary exploit fails, check if the plugin uses a REST API endpoint instead of admin-ajax.php, though the CVE specifically mentions the AJAX action.

If name and json are not the parameter names, inspect the plugin's JavaScript files (e.g., admin.js or editor.js) to see how it sends data to the server:

grep -r "SurveyJS_AddSurvey" wp-content/plugins/surveyjs/ | grep ".js"