CVE-2025-12536 MEDIUM

CVE-2025-12536: SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure

Vendor Brainstormforce
Product SureForms – Contact Form, Payment Form & Other Custom Form Builder
Weakness CWE-359
Published November 13, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems.

Explanation of Vulnerability in Simple Terms

02Summary

SureForms versions up to 1.13.1 expose sensitive information through improper access controls. An attacker on the network can read private data without authentication or user interaction. The vulnerability affects form data and related information that should be restricted. Update to a version newer than 1.13.1 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive form data and private information without logging in.

Potential impact on your site

04Site Impact

Form submissions and user data may be visible to unauthorized visitors.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 13, 2025 CVE published
April 8, 2026 Record updated