Description
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses.
Published: 2025-12-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Immediate Patch
AI Analysis

Impact

The SurveyFunnel – Survey Plugin for WordPress contains sensitive information exposure vulnerabilities in all releases up to and including version 1.1.5. The flaw arises from several REST API endpoints that lack authentication checks, allowing attackers to query and retrieve confidential survey responses. This results in unauthorized disclosure of data that the plugin stores, violating confidentiality safeguards and potentially revealing private respondent information.

Affected Systems

The vulnerability applies to installations of the SurveyFunnel – Survey Plugin for WordPress running any version through 1.1.5. Any WordPress site that has this plugin installed and has maintained that or earlier versions is susceptible, regardless of the broader WordPress environment.

Risk and Exploitability

The reported CVSS score of 5.3 indicates a medium severity impact. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is unauthenticated and exposed via public REST API endpoints, meaning an attacker can exploit it without credentials simply by accessing the plugin’s URLs. The compromise compromises only confidentiality, with no direct impact on integrity or availability.

Generated by OpenCVE AI on April 21, 2026 at 01:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SurveyFunnel – Survey Plugin for WordPress to the latest version that excludes the vulnerable API endpoints.
  • If upgrading is not immediately possible, block or restrict access to the /wp-json/surveyfunnel/v2/ endpoints by configuring your web server or through security plugins to require authentication.
  • After remediation, review legacy data for exposed survey responses and consider deleting or encrypting any sensitive data that may have been leaked.
  • Monitor the WordPress logs for unusual API calls to ensure no further exploitation occurs.

Generated by OpenCVE AI on April 21, 2026 at 01:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeka-club
Wpeka-club surveyfunnel
Vendors & Products Wordpress
Wordpress wordpress
Wpeka-club
Wpeka-club surveyfunnel

Fri, 05 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses.
Title SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpeka-club Surveyfunnel
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:06.337Z

Reserved: 2025-11-11T14:12:52.783Z

Link: CVE-2025-13006

cve-icon Vulnrichment

Updated: 2025-12-05T15:59:43.247Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T05:16:56.937

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:15:20Z

Weaknesses