CVE-2025-13006
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-13006, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: Wordfence

Description

The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-07-06
AI Q&A
2025-12-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpeka surveyfunnel_lite 1.1.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in the SurveyFunnel – Survey Plugin for WordPress allows unauthenticated attackers to access sensitive information by exploiting unprotected REST API endpoints (/wp-json/surveyfunnel/v2/). This means attackers can extract sensitive data from survey responses without needing to log in or have any privileges.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive survey response data, potentially compromising the privacy of individuals who submitted surveys. It may result in data breaches, loss of trust, and harm to affected individuals or organizations.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive survey response data, including potentially personally identifiable information (PII). Such unauthorized exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, the vulnerability poses a risk to compliance with these standards by enabling data breaches through unprotected REST API endpoints. [1]

Detection Guidance

You can detect this vulnerability by checking if the vulnerable REST API endpoints are accessible without authentication. For example, you can use curl commands to send unauthenticated GET requests to the following endpoints on your WordPress site: 1. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/fsd 2. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/responses 3. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/responses/{survey_id} 4. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/surveys 5. curl -X GET https://your-wordpress-site.com/wp-json/surveyfunnel/v2/surveys/survey_id={survey_id} If these endpoints return survey or response data without requiring authentication, your system is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the SurveyFunnel – Survey Plugin for WordPress to a version later than 1.1.5 where this vulnerability is fixed. 2. If an update is not immediately available, restrict access to the vulnerable REST API endpoints by implementing authentication or IP-based access controls on your web server or firewall. 3. Disable or remove the SurveyFunnel plugin temporarily if you do not require its functionality until a patch is applied. 4. Monitor your logs for any unauthorized access to the /wp-json/surveyfunnel/v2/ endpoints to detect exploitation attempts. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart