CVE-2025-13696
BaseFortify
Publication date: 2025-12-02
Last updated on: 2025-12-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| softdiscover | zigaform_calculator_cost_estimation_form_builder_lite | 5.6.7 |
| softdiscover | zigaform_wp_cost_estimator_lite | 7.6.7 |
| softdiscover | zigaform_wp_cost_estimator_lite | 7.6.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Zigaform WordPress plugin (up to version 7.6.5) allows unauthenticated attackers to access sensitive form submission data. This happens because a public AJAX endpoint (rocket_front_payment_seesummary) does not perform authorization checks to verify if the requester has rights to view the data. Attackers can enumerate sequential form_r_id values to retrieve personal information, payment details, and other private data.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information such as personal data and payment details submitted through forms. This exposure can result in privacy breaches, identity theft, financial fraud, and damage to the reputation of the affected website or organization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with data protection regulations like GDPR and HIPAA because it allows unauthorized access to sensitive personal and payment information. Such exposure violates requirements for protecting personal data and ensuring confidentiality, potentially leading to regulatory penalties and legal consequences.