Description
The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems.
Published: 2025-11-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply patch
AI Analysis

Impact

The vulnerability in the SureForms plugin allows unauthenticated users to retrieve the '_srfm_email_notification' post meta, which stores configuration data for email notifications. This data often includes vendor‑provided CRM or help desk drop‑box addresses, CC/BCC recipients, and notification templates. Exposure of this information can enable attackers to inject malicious data into downstream systems by manipulating these configurations.

Affected Systems

WordPress sites that run SureForms plugin version 1.13.1 or earlier. The vendor is brainstormforce, and the product is SureForms – Contact Form, Payment Form & Other Custom Form Builder.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in CISA's KEV catalog. The flaw is exploitable via unauthenticated HTTP requests that target the plugin’s post meta endpoint, after the plugin sets the 'auth_callback' parameter to '__return_true', which bypasses normal authentication checks.

Generated by OpenCVE AI on April 21, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SureForms to a version newer than 1.13.1 to remove the insecure auth_callback setting.
  • If an update is not immediately possible, edit the plugin code to change the 'auth_callback' parameter from '__return_true' to a function that enforces authentication, or delete the '_srfm_email_notification' post meta entry.
  • Audit and sanitize email notification templates and configuration data to ensure no malicious content is injected into downstream CRM or help desk systems.

Generated by OpenCVE AI on April 21, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 13 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress

Thu, 13 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems.
Title SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Weaknesses CWE-359
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Brainstormforce Sureforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:47.222Z

Reserved: 2025-10-30T20:16:38.662Z

Link: CVE-2025-12536

cve-icon Vulnrichment

Updated: 2025-11-13T14:27:19.827Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T04:15:46.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses