WordPress Plugin Vulnerabilities

Survey Maker < 5.1.9.5 - Missing Authorization to Unauthenticated Limited Option Update

Description

The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to update the ays_survey_maker_upgrade_plugin option.

Affects Plugins

Plugin icon
survey-maker
Fixed in 5.1.9.5

References

CVE
CVE-2025-12892
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6abc7605-2daa-44a9-8f2f-cbaacbea9348

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
DityaRA
Verified
No
WPVDB ID
3265cdd0-1569-4d23-8fc0-3fc0959de5c6

Timeline

Publicly Published
2025-11-12 (about 7 months ago)
Added
2025-11-12 (about 7 months ago)
Last Updated
2025-11-17 (about 7 months ago)

Other

Published
Title
Published
2025-12-22
Title
Tablesome < 1.1.35.2 - Missing Authorization
Published
2023-12-15
Title
GTG Product Feed for Shopping < 1.2.5 - Unauthenticated Settings Update
Published
2024-11-19
Title
WP Project Manager < 2.6.15 - Missing Authorization to Project Milestone and Task Creation/Deletion
Published
2026-03-18
Title
Contextual Related Posts < 4.2.2 - Missing Authorization
Published
2025-02-23
Title
Market Exporter < 2.0.22 - Missing Authorization