Description
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it.
Published: 2025-09-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Form Creation
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing capability check in the register_post_types() function of the SureForms plugin. Because this check is omitted, users with Contributor level access and higher can create forms even though the user interface explicitly blocks that action. This flaw allows authenticated attackers to add forms to a WordPress site without authorization or oversight.

Affected Systems

The issue affects the SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin from brainstormforce, in all versions up to and including 1.12.0.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate severity. The EPSS score of less than 1% shows a very low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Exfiltration or data collection would require an authenticated user with at least Contributor privileges, and the attacker would need to use the WordPress administrative interface or an API endpoint that the plugin exposes to create the form. Once a form is created, it can be accessed by site visitors, potentially allowing the attacker to collect data or host malicious content.

Generated by OpenCVE AI on April 22, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SureForms to a version newer than 1.12.0
  • If an upgrade is not possible, disable or restrict the form creation endpoint for Contributor and higher roles using a role‑management plugin or custom code
  • Audit existing forms for unauthorized entries and remove any that were generated by users lacking full creation privileges

Generated by OpenCVE AI on April 22, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30312 The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it.
History

Mon, 22 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress

Sat, 20 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it.
Title SureForms – Drag and Drop Form Builder for WordPress <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Brainstormforce Sureforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:19.253Z

Reserved: 2025-09-15T15:14:26.747Z

Link: CVE-2025-10489

cve-icon Vulnrichment

Updated: 2025-09-22T15:10:08.368Z

cve-icon NVD

Status : Deferred

Published: 2025-09-20T05:15:35.657

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses