CVE-2025-13696

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-13696

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13696.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-13696

Published

2025-12-02T08:16:00.490Z

Modified

2026-03-14T12:41:36.755607Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocketfrontpaymentseesummary action by enumerating sequential formr_id values.

References

Affected packages

Git / github.com/softdiscover/zigaform-wp-cost-estimator-lite

Affected ranges

Type: GIT
Repo: https://github.com/softdiscover/zigaform-wp-cost-estimator-lite
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f129d8dd1fb3ab0535c7eb18d52fc49141ab36c8

Affected versions

v7.*

v7.0.5

v7.0.7

v7.0.9

v7.1.2

v7.1.4

v7.1.7

v7.1.8

v7.1.9

v7.2.0

v7.2.2

v7.2.4

v7.2.5

v7.2.9

v7.3.1

v7.3.8

v7.3.9

v7.4.1

v7.4.2

v7.4.3

v7.4.7

v7.4.8

v7.4.9

v7.5.0

v7.5.4

v7.5.5

v7.5.7

v7.5.9

v7.5.9.1

v7.6.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13696.json"