What the vulnerability does
01Description
The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems.
Explanation of Vulnerability in Simple Terms
02Summary
SureForms versions up to 1.13.1 expose sensitive information through improper access controls. An attacker on the network can read private data without authentication or user interaction. The vulnerability affects form data and related information that should be restricted. Update to a version newer than 1.13.1 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive form data and private information without logging in.
Potential impact on your site
04Site Impact
Form submissions and user data may be visible to unauthorized visitors.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 13, 2025
CVE published
April 8, 2026
Record updated