{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13006", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-11T14:12:52.783Z", "datePublished": "2025-12-05T04:29:12.541Z", "dateUpdated": "2026-04-08T17:33:06.337Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:06.337Z"}, "affected": [{"vendor": "wpeka-club", "product": "SurveyFunnel \u2013 Survey Plugin for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SurveyFunnel \u2013 Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses."}], "title": "SurveyFunnel \u2013 Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f43f69f0-6995-4789-acf3-8019227effe1?source=cve"}, {"url": "https://github.com/wpeka/surveyfunnel-lite/blob/master/includes/class-surveyfunnel-lite-rest-api.php"}, {"url": "https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/includes/class-surveyfunnel-lite-rest-api.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "timeline": [{"time": "2025-12-04T16:28:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T15:59:28.587285Z", "id": "CVE-2025-13006", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T15:59:50.124Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13006", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T15:59:28.587285Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T15:59:43.247Z"}}], "cna": {"title": "SurveyFunnel \u2013 Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wpeka-club", "product": "SurveyFunnel \u2013 Survey Plugin for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T16:28:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f43f69f0-6995-4789-acf3-8019227effe1?source=cve"}, {"url": "https://github.com/wpeka/surveyfunnel-lite/blob/master/includes/class-surveyfunnel-lite-rest-api.php"}, {"url": "https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/includes/class-surveyfunnel-lite-rest-api.php"}], "descriptions": [{"lang": "en", "value": "The SurveyFunnel \u2013 Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:06.337Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13006", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:06.337Z", "dateReserved": "2025-11-11T14:12:52.783Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T04:29:12.541Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SurveyFunnel \u2013 Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses."}, {"lang": "es", "value": "El plugin SurveyFunnel \u2013 Survey Plugin para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta la 1.1.5, incluida esta, a trav\u00e9s de varios endpoints desprotegidos de la API REST /wp-json/surveyfunnel/v2/. Esto permite a atacantes no autenticados extraer datos sensibles de las respuestas de la encuesta."}], "id": "CVE-2025-13006", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T05:16:56.937", "references": [{"source": "security@wordfence.com", "url": "https://github.com/wpeka/surveyfunnel-lite/blob/master/includes/class-surveyfunnel-lite-rest-api.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/includes/class-surveyfunnel-lite-rest-api.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f43f69f0-6995-4789-acf3-8019227effe1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:08:53.966784+00:00", "value": {"mitigation_remediation": ["Upgrade the SurveyFunnel \u2013 Survey Plugin for WordPress to the latest version that excludes the vulnerable API endpoints.", "If upgrading is not immediately possible, block or restrict access to the /wp-json/surveyfunnel/v2/ endpoints by configuring your web server or through security plugins to require authentication.", "After remediation, review legacy data for exposed survey responses and consider deleting or encrypting any sensitive data that may have been leaked.", "Monitor the WordPress logs for unusual API calls to ensure no further exploitation occurs."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to installations of the SurveyFunnel \u2013 Survey Plugin for WordPress running any version through 1.1.5. Any WordPress site that has this plugin installed and has maintained that or earlier versions is susceptible, regardless of the broader WordPress environment.", "description_and_impact": "The SurveyFunnel \u2013 Survey Plugin for WordPress contains sensitive information exposure vulnerabilities in all releases up to and including version 1.1.5. The flaw arises from several REST API endpoints that lack authentication checks, allowing attackers to query and retrieve confidential survey responses. This results in unauthorized disclosure of data that the plugin stores, violating confidentiality safeguards and potentially revealing private respondent information.", "risk_and_exploitability": "The reported CVSS score of 5.3 indicates a medium severity impact. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is unauthenticated and exposed via public REST API endpoints, meaning an attacker can exploit it without credentials simply by accessing the plugin\u2019s URLs. The compromise compromises only confidentiality, with no direct impact on integrity or availability."}}}}, "created": "2025-12-05T10:51:55.327360+00:00", "updated": "2026-04-21T01:15:20.130826+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpeka-club", "wpeka-club$PRODUCT$surveyfunnel"]}