CVE-2025-13696 identifies a sensitive information exposure vulnerability in the Zigaform – Price Calculator & Cost Estimation Form Builder Lite WordPress plugin, versions up to and including 7.6.5. The core issue arises from a publicly accessible AJAX endpoint (rocket_front_payment_seesummary action) that returns form submission data without performing any authorization or ownership verification. This flaw allows unauthenticated attackers to enumerate sequential form_r_id values and retrieve sensitive data such as personal details, payment information, and other private form submissions. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and limited confidentiality impact. No integrity or availability impacts are noted. No patches or known exploits are currently reported, but the vulnerability poses a significant risk of data leakage if exploited. The plugin is widely used in WordPress environments for cost estimation and price calculation forms, often handling sensitive customer data, making this exposure particularly concerning for organizations processing personal or payment information.

The primary impact of CVE-2025-13696 is the unauthorized disclosure of sensitive information submitted through Zigaform forms, including personal and payment data. For European organizations, this can lead to violations of GDPR and other data protection regulations, resulting in legal penalties, reputational damage, and loss of customer trust. Organizations in sectors such as e-commerce, finance, and services that rely on Zigaform for customer interactions are at heightened risk. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach alone can facilitate identity theft, fraud, and targeted phishing attacks. The ease of exploitation—requiring no authentication or user interaction—makes this vulnerability particularly dangerous in environments where the plugin is deployed without additional access controls. The absence of known exploits in the wild currently limits immediate risk, but the public nature of the vulnerability and its straightforward exploitation method suggest a high likelihood of future attacks.

To mitigate CVE-2025-13696, organizations should immediately verify if they are running vulnerable versions of the Zigaform plugin (up to 7.6.5) and upgrade to a patched version once available. In the absence of an official patch, administrators should disable or restrict access to the vulnerable AJAX endpoint (rocket_front_payment_seesummary) by implementing server-side access controls such as IP whitelisting or authentication checks. Employing Web Application Firewalls (WAFs) to detect and block suspicious enumeration patterns targeting form_r_id parameters can reduce exposure. Additionally, reviewing and minimizing the amount of sensitive data collected via forms can limit potential leakage. Regular security audits of WordPress plugins and monitoring for unusual access patterns to AJAX endpoints are recommended. Finally, organizations should ensure compliance with GDPR by promptly notifying affected users and authorities if a data breach occurs.