CVE-2025-13696 is a vulnerability identified in the Zigaform – Price Calculator & Cost Estimation Form Builder Lite WordPress plugin, versions up to and including 7.6.5. The issue arises because the plugin exposes a public AJAX endpoint (rocket_front_payment_seesummary) that returns form submission data without performing any authorization checks to verify if the requester has rights to access that data. This lack of access control allows unauthenticated attackers to enumerate sequential form_r_id values and retrieve sensitive information submitted through forms, including personal data and payment details. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network exploitable, low attack complexity, no privileges or user interaction required, unchanged scope, and limited confidentiality impact. No integrity or availability impact is noted. No patches or known exploits are currently reported, but the vulnerability poses a significant privacy risk, especially for websites handling sensitive customer data. The plugin is widely used in WordPress environments for cost estimation and price calculation forms, making the attack surface potentially broad. The vulnerability’s exploitation could lead to unauthorized data disclosure, violating data protection regulations and damaging organizational reputation.

For European organizations, the exposure of sensitive form submission data can lead to serious privacy breaches, especially under the stringent requirements of the GDPR. Unauthorized access to personal and payment information can result in regulatory fines, legal liabilities, and loss of customer trust. Organizations using the affected Zigaform plugin on their WordPress sites risk leaking confidential customer data, which could be exploited for identity theft, fraud, or phishing attacks. The vulnerability does not affect system integrity or availability, but the confidentiality breach alone can have severe compliance and reputational consequences. E-commerce sites, financial services, and any businesses collecting sensitive customer data via forms are particularly vulnerable. Additionally, the ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data harvesting by malicious actors. This could lead to widespread data exposure if not mitigated promptly.

1. Monitor the Zigaform plugin vendor’s announcements and apply security patches immediately once available. 2. Until a patch is released, restrict access to the AJAX endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to the rocket_front_payment_seesummary action. 3. Use WordPress security plugins or custom code to enforce strict authorization checks on AJAX endpoints, ensuring only authenticated and authorized users can access form submission data. 4. Conduct an audit of all WordPress plugins and remove or replace those that are no longer maintained or have known vulnerabilities. 5. Limit the exposure of sensitive data by minimizing the amount of personal and payment information collected via forms or by encrypting sensitive data at rest and in transit. 6. Implement logging and monitoring to detect unusual access patterns or enumeration attempts targeting form_r_id values. 7. Educate site administrators about the risks of using vulnerable plugins and encourage timely updates and security best practices.