Cybersecurity Vulnerabilities

CVE-2025-13006: SurveyFunnel WordPress Plugin Exposes Sensitive Survey Data

December 5, 2025 - By 

Overview

CVE-2025-13006 is a medium-severity vulnerability affecting the SurveyFunnel – Survey Plugin for WordPress. This vulnerability allows unauthenticated attackers to extract sensitive data from survey responses. This is due to several unprotected REST API endpoints in versions up to and including 1.1.5.

Technical Details

The vulnerability resides in the /wp-json/surveyfunnel/v2/ REST API endpoints of the SurveyFunnel plugin. Specifically, certain endpoints designed to provide survey data were not adequately protected with authentication mechanisms. This lack of authentication permits any unauthenticated user to query these endpoints and retrieve sensitive information submitted through surveys. The flawed code can be found in the class-surveyfunnel-lite-rest-api.php file within the plugin.

CVSS Analysis

  • CVE ID: CVE-2025-13006
  • Severity: Medium
  • CVSS Score: 5.3
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Explanation: A network-based attacker can exploit this vulnerability without requiring any privileges or user interaction to access sensitive information. The impact is limited to information disclosure; the integrity and availability of the system are not affected.

Possible Impact

Successful exploitation of CVE-2025-13006 can lead to the following:

  • Exposure of Personally Identifiable Information (PII): Survey responses may contain sensitive data such as names, email addresses, opinions, and other personal information.
  • Data Breach: The collected survey data can be used for malicious purposes, including identity theft, phishing attacks, and other fraudulent activities.
  • Reputational Damage: An organization that experiences a data breach due to this vulnerability may suffer significant reputational damage and loss of customer trust.
  • Compliance Violations: Exposure of PII can lead to violations of data privacy regulations such as GDPR, CCPA, and others.

Mitigation and Patch Steps

To mitigate the risk posed by CVE-2025-13006, it is highly recommended to take the following steps:

  1. Update the Plugin: Upgrade the SurveyFunnel – Survey Plugin for WordPress to the latest version as soon as a patch is available. This is the most effective way to remediate the vulnerability.
  2. Disable the Plugin: If an update is not immediately available, temporarily disable the SurveyFunnel plugin until a patched version can be installed.
  3. Web Application Firewall (WAF): Implement a WAF with rules designed to block unauthorized access to the vulnerable REST API endpoints.
  4. Review Survey Data: Investigate your server logs for suspicious activity that may indicate exploitation attempts.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *