Description
Missing Authorization vulnerability in Brainstorm Force SureForms Pro allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects SureForms Pro: from n/a through 2.8.0.
Published: 2026-04-29
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the SureForms Pro WordPress plugin versions up to 2.8.0. It results in a broken access control condition that allows an attacker to perform actions or access data that should be restricted to authorized users. The weakness is categorized as CWE-862, which describes improper authorization. A successful exploit could lead to the disclosure or modification of form data, configuration settings, or other sensitive information stored by the plugin.

Affected Systems

All WordPress sites that have installed the Brainstorm Force SureForms Pro plugin with a version of 2.8.0 or earlier are affected. The vulnerability applies regardless of the specific WordPress version, as long as the plugin is present and enabled.

Risk and Exploitability

The CVSS score of 7.3 classifies this flaw as high severity. The EPSS score is not available, so the current exploit probability cannot be quantified, but the lack of KEV listing suggests no widespread, publicly known exploitation remains active. Based on the description, the likely attack vector is web‑based exploitation where an attacker with limited access or the ability to craft requests to the plugin can bypass authorization checks and gain unauthorized access to protected data or functionality. The impact could be significant if sensitive form data is exposed, especially on sites handling personal or financial information.

Generated by OpenCVE AI on April 29, 2026 at 09:22 UTC.

Remediation

Vendor Solution

Update the WordPress SureForms Pro Plugin to the latest available version (at least 2.8.1).

OpenCVE Recommended Actions

  • Update the SureForms Pro plugin to version 2.8.1 or later.
  • Review WordPress user roles and enforce least privilege, ensuring that users only have the capabilities required for their responsibilities.
  • Disable the plugin if it is not essential until the patch is applied, or remove it permanently if no longer needed.

Generated by OpenCVE AI on April 29, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress

Wed, 29 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Brainstorm Force SureForms Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SureForms Pro: from n/a through 2.8.0.
Title WordPress SureForms Pro plugin <= 2.8.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Brainstormforce Sureforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T13:16:17.514Z

Reserved: 2026-04-27T08:22:05.095Z

Link: CVE-2026-42377

cve-icon Vulnrichment

Updated: 2026-04-29T13:16:11.681Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T08:16:18.337

Modified: 2026-04-29T21:15:41.667

Link: CVE-2026-42377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:00:09Z

Weaknesses