Devsoftbaltic Surveyjs Drag Drop Form Builder vulnerabilities
7 known vulnerabilities affecting devsoftbaltic/surveyjs_drag_drop_form_builder.
Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2024-12544P2HIGHCVSS 8.8≤ 1.12.172025-03-01
CVE-2024-12544 [HIGH] CWE-862 CVE-2024-12544: The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any co
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17. This makes it possible for authenticated at
nvd
CVE-2026-2440P3HIGHCVSS 7.2≤ 2.5.32026-03-21
CVE-2026-2440 [HIGH] CWE-79 CVE-2026-2440: The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads t
nvd
CVE-2025-3815P4MEDIUMCVSS 6.4≤ 1.12.322025-05-03
CVE-2025-3815 [MEDIUM] CWE-79 CVE-2025-3815: The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ paramete
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.12.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will ex
nvd
CVE-2025-13194P4MEDIUMCVSS 4.3≤ 2.5.22026-01-24
CVE-2025-13194 [MEDIUM] CWE-352 CVE-2025-13194: The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any co
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated att
nvd
CVE-2025-13140P4MEDIUMCVSS 4.3≤ 1.12.202025-12-02
CVE-2025-13140 [MEDIUM] CWE-352 CVE-2025-13140: The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Re
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to delete surveys via a forged request granted they can
nvd
CVE-2025-13205P4MEDIUMCVSS 4.3≤ 2.5.22026-01-24
CVE-2025-13205 [MEDIUM] CWE-352 CVE-2025-13205: The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any co
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthent
nvd
CVE-2025-13139P4MEDIUMCVSS 4.3≤ 2.5.22026-01-24
CVE-2025-13139 [MEDIUM] CWE-352 CVE-2025-13139: The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Re
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can tric
nvd