The vulnerability identified as CVE-2025-13696 affects the Zigaform – Price Calculator & Cost Estimation Form Builder Lite plugin for WordPress, versions up to and including 7.6.5. This flaw is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The root cause is a public AJAX endpoint (rocket_front_payment_seesummary) that retrieves form submission data without performing any authorization or ownership verification. Attackers can exploit this by enumerating sequential form_r_id values, allowing them to access sensitive data such as personal details, payment information, and other private submission content. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to confidentiality loss. There are no known exploits in the wild yet, and no official patches have been linked at the time of publication. The vulnerability poses a significant privacy risk, especially for organizations handling sensitive customer data through Zigaform forms on WordPress sites. The lack of authorization checks on the AJAX endpoint is a critical design flaw that can be leveraged for data harvesting and privacy violations.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information, including personal and payment data submitted through Zigaform forms. This can lead to privacy breaches, identity theft, financial fraud, and reputational damage for affected organizations. Since the vulnerability does not affect integrity or availability, it does not allow data modification or service disruption. However, the exposure of confidential data alone can have severe regulatory and compliance consequences, especially under data protection laws such as GDPR or CCPA. Organizations using the vulnerable plugin may face legal liabilities and loss of customer trust. The ease of exploitation (no authentication or user interaction required) increases the risk of automated mass data harvesting attacks. The scope includes any WordPress site using the affected versions of Zigaform, which could be widespread given WordPress's global popularity. Although no exploits are currently known in the wild, the vulnerability represents a significant privacy risk that could be weaponized by attackers targeting e-commerce, financial services, healthcare, and other sectors relying on sensitive form data.

1. Immediately restrict access to the vulnerable AJAX endpoint by implementing web application firewall (WAF) rules that block or rate-limit requests to rocket_front_payment_seesummary, especially those attempting to enumerate form_r_id values. 2. Disable or remove the Zigaform plugin if it is not essential to reduce the attack surface until a patch is available. 3. Monitor web server logs for suspicious activity targeting the AJAX endpoint, such as sequential form_r_id enumeration patterns. 4. Apply principle of least privilege by ensuring that form submission data is only accessible to authenticated and authorized users within the application logic. 5. Once a security patch or updated plugin version is released by the vendor, promptly update to the fixed version. 6. Conduct a thorough audit of stored form submission data to identify any potential data leakage and notify affected users if sensitive information was exposed. 7. Employ additional security controls such as multi-factor authentication for administrative access and regular vulnerability scanning to detect similar issues. 8. Educate site administrators about the risks of exposing sensitive data through public endpoints and best practices for secure plugin configuration.