What the vulnerability does
01Description
The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocket_front_payment_seesummary action by enumerating sequential form_r_id values.
Explanation of Vulnerability in Simple Terms
02Summary
Zigaform versions up to 7.6.5 expose sensitive information that can be accessed over the network without authentication. An attacker can retrieve data that should be restricted, such as form submissions, user details, or configuration information. This affects all installations of the affected version range. Update to a version newer than 7.6.5 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the form builder without logging in, such as form submissions or user information.
Potential impact on your site
04Site Impact
Visitor and customer data collected via Zigaform may be exposed to anyone on the internet.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
December 2, 2025
CVE published
April 8, 2026
Record updated
