Vulnerabilities and security researches forzigaform-calculator-cost-estimation-form-builder-lite zigaform-calculator-cost-estimation-form-builder-lite

Dec 11, 2025

CVE, Research URL: CVE-2025-13696
Home page URL: Security reports for Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Application: Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Date: Dec 02, 2025
Research Description: The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocket_front_payment_seesummary action by enumerating sequential form_r_id values.
Affected versions: max 7.6.7.
Status: vulnerable

Feb 28, 2025

CVE, Research URL: CVE-2025-26994
Home page URL: Security reports for Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Application: Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Date: Mar 03, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in softdiscover Zigaform – Price Calculator & Cost Estimation Form Builder Lite allows Stored XSS. This issue affects Zigaform – Price Calculator & Cost Estimation Form Builder Lite: from n/a through 7.4.2.
Affected versions: max 7.4.3.
Status: vulnerable

Feb 20, 2025

CVE, Research URL: CVE-2024-13587
Home page URL: Security reports for Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Application: Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Date: Feb 18, 2025
Research Description: The Zigaform – Price Calculator & Cost Estimation Form Builder Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zgfm_fvar' shortcode in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 7.4.8.
Status: vulnerable