CVE-2025-13006
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: Wordfence

Description
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13006
EUVD
EUVD-2025-201339
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpeka surveyfunnel_lite 1.1.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the SurveyFunnel – Survey Plugin for WordPress allows unauthenticated attackers to access sensitive information by exploiting unprotected REST API endpoints (/wp-json/surveyfunnel/v2/). This means attackers can extract sensitive data from survey responses without needing to log in or have any privileges.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive survey response data, potentially compromising the privacy of individuals who submitted surveys. It may result in data breaches, loss of trust, and harm to affected individuals or organizations.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive survey response data, including potentially personally identifiable information (PII). Such unauthorized exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, the vulnerability poses a risk to compliance with these standards by enabling data breaches through unprotected REST API endpoints. [1]

Detection Guidance

You can detect this vulnerability by checking if the vulnerable REST API endpoints are accessible without authentication. For example, you can use curl commands to send unauthenticated GET requests to the following endpoints on your WordPress site: 1. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/fsd 2. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/responses 3. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/responses/{survey_id} 4. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/surveys 5. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/surveys/survey_id={survey_id} If these endpoints return survey or response data without requiring authentication, your system is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the SurveyFunnel – Survey Plugin for WordPress to a version later than 1.1.5 where this vulnerability is fixed. 2. If an update is not immediately available, restrict access to the vulnerable REST API endpoints by implementing authentication or IP-based access controls on your web server or firewall. 3. Disable or remove the SurveyFunnel plugin temporarily if you do not require its functionality until a patch is applied. 4. Monitor your logs for any unauthorized access to the /wp-json/surveyfunnel/v2/ endpoints to detect exploitation attempts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart