CVE-2025-13006 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the SurveyFunnel – Survey Plugin for WordPress developed by wpeka-club. This plugin, widely used for creating and managing surveys on WordPress websites, contains several unprotected REST API endpoints under /wp-json/surveyfunnel/v2/ that expose sensitive survey response data. The vulnerability affects all versions up to and including 1.1.5. Because these endpoints lack proper access controls, unauthenticated attackers can query them directly to extract confidential information submitted by survey respondents. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No patches or fixes are currently linked, and no exploits have been observed in the wild. The vulnerability primarily threatens the confidentiality of data collected via surveys, which may include personally identifiable information or other sensitive details. Organizations using this plugin should be aware that the exposure occurs through the WordPress REST API, a common attack surface if not properly secured. The lack of authentication requirements means that any external attacker can attempt to retrieve data without needing credentials or user involvement. This vulnerability underscores the importance of securing REST API endpoints and validating access permissions in WordPress plugins that handle sensitive data.

For European organizations, the exposure of sensitive survey data can lead to significant privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. Survey data often contains personal or confidential information, and unauthorized access could result in data breaches affecting customers, employees, or partners. The impact is particularly critical for sectors relying heavily on survey data such as market research firms, healthcare providers, educational institutions, and government agencies. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can trigger legal consequences and loss of trust. Given the medium severity, the risk is moderate but should not be underestimated, especially in jurisdictions with strict data protection laws. The ease of exploitation without authentication increases the likelihood of opportunistic attacks. Organizations that have not restricted access to their WordPress REST API or that use this plugin extensively are at higher risk. The absence of known exploits in the wild suggests the vulnerability might be newly disclosed, but proactive mitigation is advised to prevent future exploitation.

1. Immediately audit and restrict access to the /wp-json/surveyfunnel/v2/ REST API endpoints using web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. 2. Disable or remove the SurveyFunnel plugin if it is not essential to reduce the attack surface. 3. Monitor web server logs for unusual or repeated access attempts to the vulnerable API endpoints. 4. Implement strict role-based access controls (RBAC) and authentication mechanisms for REST API endpoints to ensure only authorized users can retrieve survey data. 5. Regularly update WordPress plugins and core to the latest versions once the vendor releases a patch addressing this vulnerability. 6. Conduct a privacy impact assessment and review data retention policies to minimize sensitive data stored in surveys. 7. Educate site administrators about the risks of exposing REST API endpoints and best practices for securing WordPress installations. 8. Consider deploying security plugins that can detect and block suspicious API requests. 9. If possible, encrypt sensitive survey data at rest and in transit to add an additional layer of protection. 10. Prepare an incident response plan to quickly address any data exposure incidents related to this vulnerability.