CVE-2025-13696 Overview
CVE-2025-13696 is a Sensitive Information Exposure vulnerability affecting the Zigaform plugin for WordPress in versions up to and including 7.6.5. The vulnerability exists due to the plugin exposing a public AJAX endpoint (rocket_front_payment_seesummary) that retrieves form submission data without performing proper authorization checks to verify ownership or access rights.
This flaw enables unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data by enumerating sequential form_r_id values. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
Critical Impact
Unauthenticated attackers can harvest sensitive user data including payment details and personal information from WordPress sites using vulnerable Zigaform installations without any authentication requirements.
Affected Products
- Zigaform Calculator Cost Estimation Form Builder Lite versions ≤ 7.6.5
- WordPress sites using vulnerable Zigaform plugin versions
- Any forms collecting sensitive data through affected plugin versions
Discovery Timeline
- December 2, 2025 - CVE-2025-13696 published to NVD
- December 2, 2025 - Last updated in NVD database
Technical Details for CVE-2025-13696
Vulnerability Analysis
The vulnerability resides in the uiform-fb-controller-frontend.php file within the Zigaform plugin's formbuilder module. The affected code is located at line 106 of the controller file, which handles the rocket_front_payment_seesummary AJAX action.
The CVSS 3.1 score for this vulnerability is 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This scoring reflects:
- Attack Vector (AV:N): Network-accessible without requiring local access
- Attack Complexity (AC:L): Low complexity with no special conditions required
- Privileges Required (PR:N): No authentication needed
- User Interaction (UI:N): No user interaction required
- Confidentiality Impact (C:L): Limited confidential data exposure
The EPSS (Exploit Prediction Scoring System) probability is 0.053%, placing this vulnerability in the 16.75th percentile for exploitation likelihood.
Root Cause
The root cause of this vulnerability is the absence of proper authorization checks in the AJAX endpoint handler. The rocket_front_payment_seesummary action processes requests without verifying:
- Whether the requesting user has ownership of the form submission
- Whether the user has appropriate access rights to view the data
- Whether the request originates from an authenticated session
This missing authorization logic allows any remote attacker to access form submission records simply by knowing or guessing the sequential form_r_id parameter values.
Attack Vector
The attack vector exploits the publicly accessible WordPress AJAX endpoint. An attacker can craft HTTP requests to the WordPress AJAX handler targeting the vulnerable action. By systematically enumerating form_r_id values (which appear to be sequential), attackers can retrieve all stored form submissions.
The attack flow involves sending POST requests to /wp-admin/admin-ajax.php with the action parameter set to rocket_front_payment_seesummary and iterating through potential form_r_id values. Each successful request returns the corresponding form submission data, which may include names, email addresses, phone numbers, payment information, and any other data collected through the forms.
Detection Methods for CVE-2025-13696
Indicators of Compromise
- Unusual volume of requests to /wp-admin/admin-ajax.php with the rocket_front_payment_seesummary action
- Sequential enumeration patterns in form_r_id parameters from single IP addresses
- Multiple requests from unauthenticated sessions accessing form submission endpoints
- Abnormal traffic patterns targeting WordPress AJAX endpoints
Detection Strategies
Security teams should implement web application firewall (WAF) rules to detect and block enumeration attempts against the vulnerable endpoint. Monitor server access logs for patterns indicating automated scanning or data harvesting activities.
SentinelOne customers can leverage the platform's behavioral analysis capabilities to detect anomalous web traffic patterns and potential data exfiltration attempts. The Singularity platform provides visibility into application-layer attacks targeting WordPress installations.
Implement rate limiting on AJAX endpoints to slow down enumeration attacks and generate alerts when thresholds are exceeded.
Monitoring Recommendations
Configure logging to capture all AJAX requests with relevant parameters for forensic analysis. Establish baseline traffic patterns for legitimate form access to identify anomalous behavior. Deploy intrusion detection systems (IDS) with signatures targeting WordPress AJAX abuse patterns.
Organizations should audit their WordPress access logs for historical evidence of exploitation, particularly looking for high-frequency requests to the affected endpoint from external IP addresses.
How to Mitigate CVE-2025-13696
Immediate Actions Required
- Update the Zigaform plugin to a patched version that includes authorization checks
- Review server logs for evidence of prior exploitation attempts
- Audit stored form submission data for any signs of unauthorized access
- Consider temporarily disabling the Zigaform plugin until patching is complete
- Implement WAF rules to block unauthenticated access to the vulnerable endpoint
Patch Information
A security patch has been released by the vendor. The fix is available in commit f129d8dd1fb3ab0535c7eb18d52fc49141ab36c8 on the official GitHub repository. The patch implements proper authorization checks to verify user permissions before returning form submission data.
WordPress administrators should update to the latest version of the Zigaform Calculator Cost Estimation Form Builder Lite plugin through the WordPress plugin repository. The changeset addressing this vulnerability is documented in the WordPress plugins trac.
Reference URLs:
- GitHub Commit: https://github.com/Softdiscover/Zigaform-WP-Cost-Estimator-Lite/commit/f129d8dd1fb3ab0535c7eb18d52fc49141ab36c8
- Wordfence Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/47f9a466-2826-4835-b06e-14cf4ceb7567
Workarounds
If immediate patching is not possible, administrators can implement temporary mitigations:
Restrict access to the WordPress AJAX handler for unauthenticated users at the web server level. This can be accomplished through Apache .htaccess rules or Nginx location blocks that require authentication for admin-ajax.php requests with specific action parameters.
# Nginx configuration to restrict vulnerable endpoint
location ~ /wp-admin/admin-ajax\.php {
# Block unauthenticated requests to vulnerable action
if ($arg_action = "rocket_front_payment_seesummary") {
return 403;
}
# Continue with normal processing for other AJAX requests
include fastcgi_params;
fastcgi_pass php-fpm;
}
Additionally, consider implementing IP-based access controls to limit which addresses can reach the WordPress admin endpoints, and deploy a web application firewall with rules specifically targeting this vulnerability pattern.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
