CVE-2025-13006 identifies a sensitive information exposure vulnerability in the SurveyFunnel – Survey Plugin for WordPress, maintained by wpeka-club. The flaw exists in all versions up to and including 1.1.5 and stems from several REST API endpoints under /wp-json/surveyfunnel/v2/ that lack proper access controls. These endpoints expose survey response data, which may include personally identifiable information or other confidential inputs submitted by users. Because the API endpoints are unprotected, attackers can query them without authentication or user interaction, making exploitation straightforward. The vulnerability is categorized under CWE-200, indicating that sensitive data is accessible to unauthorized actors. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the ease of remote exploitation (network vector), no privileges required, and no user interaction needed, but limited impact confined to confidentiality loss without affecting integrity or availability. No patches or updates are currently linked, and no known exploits have been observed in the wild. The vulnerability poses a privacy risk and could lead to data leakage, regulatory compliance issues, and reputational damage for organizations using the plugin. The plugin’s widespread use in WordPress sites globally increases the potential attack surface.

The primary impact of CVE-2025-13006 is unauthorized disclosure of sensitive survey response data, which can include personal, financial, or proprietary information depending on the survey content. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and loss of customer trust. Organizations relying on SurveyFunnel for data collection may face reputational damage and potential legal consequences if sensitive data is leaked. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach alone is significant, especially for sectors handling sensitive user data such as healthcare, finance, education, and market research. The ease of exploitation without authentication increases the risk of automated mass data harvesting attacks. Since the vulnerability affects all versions up to 1.1.5, any unpatched installations remain at risk until mitigations or updates are applied.

To mitigate CVE-2025-13006, organizations should immediately audit their WordPress installations to identify the presence of the SurveyFunnel plugin and its version. Until an official patch is released, administrators should restrict access to the vulnerable REST API endpoints by implementing web application firewall (WAF) rules or server-level access controls limiting requests to trusted IP addresses or authenticated users only. Disabling or removing the plugin temporarily can be considered if survey functionality is non-critical. Monitoring web server logs for unusual access patterns to /wp-json/surveyfunnel/v2/ endpoints can help detect exploitation attempts. Once a vendor patch or update is available, prompt application is essential. Additionally, organizations should review and minimize sensitive data collected via surveys to reduce exposure risk. Employing security plugins that enforce strict REST API permissions and regularly scanning WordPress sites for vulnerabilities will further reduce risk.