CVE-2025-13696

EPSS 0.26%
Veröffentlicht 02.12.2025 07:24:30
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Zigaform <= 7.6.5 - Unauthenticated Form Submission Data Disclosure in rocket_front_payment_seesummary AJAX Endpoint

The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocket_front_payment_seesummary action by enumerating sequential form_r_id values.

Mögliche Gegenmaßnahme

Zigaform – Price Calculator & Cost Estimation Form Builder Lite: Update to version 7.6.7, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellersoftdiscover

≫

Produkt Zigaform – Price Calculator & Cost Estimation Form Builder Lite

Default Statusunaffected

Version <= 7.6.5

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Zigaform – Price Calculator & Cost Estimation Form Builder Lite

Version *-7.6.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.166

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://www.wordfence.com/threat-intel/vulnerabilities/id/47f9a466-2826-4835-b06e-14cf4ceb7567?source=cve

https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/trunk/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106

https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/tags/7.6.5/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406507%40zigaform-calculator-cost-estimation-form-builder-lite&new=3406507%40zigaform-calculator-cost-estimation-form-builder-lite&sfp_email=&sfph_mail=

https://github.com/Softdiscover/Zigaform-WP-Cost-Estimator-Lite/commit/f129d8dd1fb3ab0535c7eb18d52fc49141ab36c8

https://www.wordfence.com/threat-intel/vulnerabilities/id/47f9a466-2826-4835-b06e-14cf4ceb7567

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-13696

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-13696

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-13696

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-13696