CVE-2025-13696 – The Zigaform WordPress plugin exposes sensitive... (How to Fix)

Q: What is the severity of CVE-2025-13696?

CVE-2025-13696 has a CVSS score of 5.3 (MEDIUM). The Zigaform WordPress plugin exposes sensitive form submission data through an unauthenticated AJAX endpoint. Unauthenticated attackers can extract personal information, payment details, and other private data by enumerating form submission IDs. WordPress sites using Zigaform versions up to 7.6.5 are affected.

📋 TL;DR

The Zigaform WordPress plugin exposes sensitive form submission data through an unauthenticated AJAX endpoint. Unauthenticated attackers can extract personal information, payment details, and other private data by enumerating form submission IDs. WordPress sites using Zigaform versions up to 7.6.5 are affected.

💻 Affected Systems

Products:

Zigaform WordPress Plugin

Versions: Up to and including 7.6.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable Zigaform versions are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass exfiltration of all form submissions containing sensitive personal data, financial information, and confidential business data, leading to identity theft, financial fraud, and regulatory violations.

🟠

Likely Case

Targeted extraction of specific form submissions containing personal identifiable information (PII) and payment details, potentially leading to identity theft and financial loss.

🟢

If Mitigated

Limited exposure of non-sensitive form data or complete prevention if proper access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to the vulnerable AJAX endpoint with sequential form_r_id enumeration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.6.6 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/trunk/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Zigaform plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 7.6.6+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Add code to WordPress theme's functions.php to block access to the vulnerable rocket_front_payment_seesummary action

add_action('init', function() { if (isset($_REQUEST['action']) && $_REQUEST['action'] === 'rocket_front_payment_seesummary') { wp_die('Access denied'); } });

Web Application Firewall rule

all

Block requests to the vulnerable AJAX endpoint using WAF rules

Block URL pattern: */wp-admin/admin-ajax.php?action=rocket_front_payment_seesummary*

🧯 If You Can't Patch

Disable the Zigaform plugin immediately
Implement strict network access controls to limit access to the WordPress admin-ajax.php endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Zigaform version. If version is 7.6.5 or lower, the site is vulnerable.

Check Version:

wp plugin list --name=zigaform --field=version

Verify Fix Applied:

After updating, verify the plugin version shows 7.6.6 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple GET/POST requests to /wp-admin/admin-ajax.php with action=rocket_front_payment_seesummary parameter
Unusual spike in requests to admin-ajax.php with form_r_id parameter

Network Indicators:

HTTP requests containing 'rocket_front_payment_seesummary' in query parameters
Sequential enumeration patterns in form_r_id parameter values

SIEM Query:

source="web_logs" AND (url="*admin-ajax.php*" AND (query="*action=rocket_front_payment_seesummary*" OR query="*form_r_id=*"))

📊 Metadata

CVE ID: CVE-2025-13696

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.06% exploit probability (18.8th percentile)

Published: December 2, 2025

Last Updated: December 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13696, you might also want to check these: