CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses.
Explanation of Vulnerability in Simple Terms
The SurveyFunnel plugin for WordPress versions 1.1.5 and earlier exposes sensitive information to unauthenticated attackers over the network. An attacker can read data without needing to log in or interact with a site administrator. The plugin does not properly restrict access to certain endpoints or data. Update to a version newer than 1.1.5.
What an attacker can do
Read sensitive information from the plugin without logging in.
Potential impact on your site
Sensitive survey data or plugin configuration may be visible to anyone on the internet.
Conditions required to exploit
Network access to the WordPress site; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
