Description
The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_ajax_nopriv_rest-nonce' action. While the plugin legitimately needs to support unauthenticated form submissions, it incorrectly uses generic REST nonces instead of form-specific nonces. This makes it possible for unauthenticated attackers to bypass CSRF protection on REST API endpoints that rely solely on nonce verification without additional authentication checks, allowing them to trigger unauthorized actions such as the plugin's own post-submission hooks and potentially other plugins' REST endpoints.
Published: 2025-11-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery bypass on WordPress REST API
Action: Apply Patch
AI Analysis

Impact

The vulnerability in SureForms allows unauthenticated attackers to bypass CSRF protection by obtaining generic WordPress REST API nonces (wp_rest). Because the plugin distributes these nonces to unauthenticated users through the wp_ajax_nopriv_rest-nonce action, an attacker can submit crafted REST API requests that appear authenticated. This flaw enables triggering the plugin’s own post‑submission hooks and potentially any other REST endpoints that rely solely on nonce verification without authentication, thus permitting unauthorized actions on the site.

Affected Systems

The affected product is the SureForms contact, payment, and custom form builder plugin for WordPress, versions 1.13.1 and earlier. The plugin is maintained by brainstormforce. Users running these versions on any WordPress installation are vulnerable. No specific WordPress core version is mentioned, so any contemporary WordPress site utilizing the plugin remains at risk.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity, while the EPSS score of less than 1% indicates that exploitation is considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is external, requiring only an unauthenticated HTTP request to the REST API or the wp_ajax_nopriv_rest-nonce action. Attackers can gain authorized effect through the plugin’s REST endpoints that are protected only by nonce verification.

Generated by OpenCVE AI on April 21, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SureForms to the latest release where the nonce handling has been corrected, ensuring that form‑specific nonces are used instead of generic REST nonces.
  • Disable unauthenticated access to the wp_ajax_nopriv_rest-nonce endpoint and other REST API routes provided by the plugin by removing or restricting that action from the plugin’s code or configuring authentication rules.
  • If an immediate update is not possible, implement a firewall rule (e.g., via ModSecurity or a WordPress security plugin) to block requests to /wp-admin/admin-ajax.php?action=rest-nonce from unauthenticated users and to filter out forged REST API calls to the plugin’s endpoints.

Generated by OpenCVE AI on April 21, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 20 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 07:00:00 +0000

Type Values Removed Values Added
Description The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_ajax_nopriv_rest-nonce' action. While the plugin legitimately needs to support unauthenticated form submissions, it incorrectly uses generic REST nonces instead of form-specific nonces. This makes it possible for unauthenticated attackers to bypass CSRF protection on REST API endpoints that rely solely on nonce verification without additional authentication checks, allowing them to trigger unauthorized actions such as the plugin's own post-submission hooks and potentially other plugins' REST endpoints.
Title SureForms <= 1.13.1 - Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Brainstormforce Sureforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:56.985Z

Reserved: 2025-10-30T19:51:09.849Z

Link: CVE-2025-12535

cve-icon Vulnrichment

Updated: 2025-11-19T18:51:13.134Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T07:15:49.753

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses