CVE-2025-13006 identifies a vulnerability in the SurveyFunnel – Survey Plugin for WordPress, specifically in all versions up to and including 1.1.5. The flaw arises from several unprotected REST API endpoints under /wp-json/surveyfunnel/v2/ that expose sensitive survey response data to unauthenticated attackers. Because these endpoints lack proper access controls, any remote attacker can query them without authentication or user interaction, retrieving potentially sensitive information submitted by survey participants. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS 3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack can be performed remotely over the network with low complexity, no privileges, and no user interaction, impacting confidentiality only. There are no known exploits in the wild yet, and no official patches have been linked at the time of publication. The vulnerability affects all versions of the plugin up to 1.1.5, which is commonly used on WordPress sites to create and manage surveys. The exposure of survey data can lead to privacy violations and potential regulatory non-compliance, especially under GDPR in Europe. The technical root cause is insufficient access control on REST API endpoints, allowing data leakage. Organizations using this plugin should monitor for updates and consider interim protective measures.

The primary impact of CVE-2025-13006 is the unauthorized disclosure of sensitive survey response data, which can include personal or confidential information collected via the SurveyFunnel plugin. For European organizations, this poses significant privacy and compliance risks under GDPR, as unauthorized data exposure can lead to regulatory penalties and reputational damage. The breach of confidentiality may also erode customer trust and expose organizations to legal liabilities. Although the vulnerability does not affect data integrity or availability, the ease of exploitation without authentication increases the risk of mass data harvesting by attackers. Organizations that rely on surveys for customer feedback, market research, or internal assessments may inadvertently expose sensitive insights or personal data. The impact is heightened for sectors handling sensitive or regulated data, such as healthcare, finance, and public services. Additionally, the exposure of survey data could facilitate social engineering or targeted phishing attacks if attackers gain personal details. The absence of known exploits currently limits immediate widespread impact, but the vulnerability remains a significant risk until remediated.

To mitigate CVE-2025-13006, organizations should first monitor the plugin vendor’s communications for an official security patch and apply updates promptly once available. Until a patch is released, administrators should restrict access to the vulnerable REST API endpoints by implementing web server rules (e.g., using .htaccess or nginx configurations) to block or limit requests to /wp-json/surveyfunnel/v2/ endpoints from unauthorized IP addresses. Employing a Web Application Firewall (WAF) with custom rules to detect and block suspicious API requests can provide additional protection. Reviewing and minimizing the use of the SurveyFunnel plugin or disabling it temporarily if not critical can reduce exposure. Conducting regular audits of WordPress plugins for security posture and ensuring the WordPress core and all plugins are up to date is essential. Additionally, organizations should review their data collection practices to limit sensitive data exposure and ensure compliance with GDPR data minimization principles. Logging and monitoring API access patterns can help detect potential exploitation attempts early. Finally, educating site administrators on plugin security and access control best practices will help prevent similar issues.