{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10489", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-15T15:14:26.747Z", "datePublished": "2025-09-20T04:27:55.370Z", "dateUpdated": "2026-04-08T16:59:19.253Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:19.253Z"}, "affected": [{"vendor": "brainstormforce", "product": "SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.12.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SureForms \u2013 Drag and Drop Contact Form Builder \u2013 Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it."}], "title": "SureForms \u2013 Drag and Drop Form Builder for WordPress <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d03f316-542c-4128-b49d-fd2fd8609dd6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3363914/sureforms/trunk/inc/post-types.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jessie Irelan"}], "timeline": [{"time": "2025-09-15T15:29:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-19T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-22T15:10:03.997201Z", "id": "CVE-2025-10489", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T15:10:15.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10489", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-22T15:10:03.997201Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T15:10:08.368Z"}}], "cna": {"title": "SureForms \u2013 Drag and Drop Form Builder for WordPress <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation", "credits": [{"lang": "en", "type": "finder", "value": "Jessie Irelan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "brainstormforce", "product": "SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.12.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-15T15:29:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-19T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d03f316-542c-4128-b49d-fd2fd8609dd6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3363914/sureforms/trunk/inc/post-types.php"}], "descriptions": [{"lang": "en", "value": "The SureForms \u2013 Drag and Drop Contact Form Builder \u2013 Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:19.253Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10489", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:19.253Z", "dateReserved": "2025-09-15T15:14:26.747Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-20T04:27:55.370Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SureForms \u2013 Drag and Drop Contact Form Builder \u2013 Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it."}], "id": "CVE-2025-10489", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-20T05:15:35.657", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3363914/sureforms/trunk/inc/post-types.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d03f316-542c-4128-b49d-fd2fd8609dd6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:20:27.743110+00:00", "value": {"mitigation_remediation": ["Update SureForms to a version newer than 1.12.0", "If an upgrade is not possible, disable or restrict the form creation endpoint for Contributor and higher roles using a role\u2011management plugin or custom code", "Audit existing forms for unauthorized entries and remove any that were generated by users lacking full creation privileges"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Form Creation"}, "threat_synthesis": {"affected_systems": "The issue affects the SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder plugin from brainstormforce, in all versions up to and including 1.12.0.", "description_and_impact": "The vulnerability is a missing capability check in the register_post_types() function of the SureForms plugin. Because this check is omitted, users with Contributor level access and higher can create forms even though the user interface explicitly blocks that action. This flaw allows authenticated attackers to add forms to a WordPress site without authorization or oversight.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates a moderate severity. The EPSS score of less than 1% shows a very low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Exfiltration or data collection would require an authenticated user with at least Contributor privileges, and the attacker would need to use the WordPress administrative interface or an API endpoint that the plugin exposes to create the form. Once a form is created, it can be accessed by site visitors, potentially allowing the attacker to collect data or host malicious content."}}}}, "created": "2025-09-22T09:58:53.934324+00:00", "updated": "2026-04-22T13:30:17.921643+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$sureforms", "wordpress", "wordpress$PRODUCT$wordpress"]}