{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12536", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-30T20:16:38.662Z", "datePublished": "2025-11-13T03:27:39.017Z", "dateUpdated": "2026-04-08T17:11:47.222Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:47.222Z"}, "affected": [{"vendor": "brainstormforce", "product": "SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.13.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems."}], "title": "SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/post-types.php#L892"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391762/sureforms/trunk/inc/post-types.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor", "cweId": "CWE-359", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2025-10-30T20:33:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-12T15:01:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T14:27:17.734948Z", "id": "CVE-2025-12536", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T14:34:11.893Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12536", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T14:27:17.734948Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T14:27:19.827Z"}}], "cna": {"title": "SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "brainstormforce", "product": "SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.13.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-30T20:33:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-12T15:01:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/post-types.php#L892"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391762/sureforms/trunk/inc/post-types.php"}], "descriptions": [{"lang": "en", "value": "The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:47.222Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12536", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:47.222Z", "dateReserved": "2025-10-30T20:16:38.662Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-13T03:27:39.017Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems."}], "id": "CVE-2025-12536", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-13T04:15:46.130", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/post-types.php#L892"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3391762/sureforms/trunk/inc/post-types.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-359"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:22:54.442727+00:00", "value": {"mitigation_remediation": ["Update SureForms to a version newer than 1.13.1 to remove the insecure auth_callback setting.", "If an update is not immediately possible, edit the plugin code to change the 'auth_callback' parameter from '__return_true' to a function that enforces authentication, or delete the '_srfm_email_notification' post meta entry.", "Audit and sanitize email notification templates and configuration data to ensure no malicious content is injected into downstream CRM or help desk systems."], "summary": {"action": "Apply patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that run SureForms plugin version 1.13.1 or earlier. The vendor is brainstormforce, and the product is SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder.", "description_and_impact": "The vulnerability in the SureForms plugin allows unauthenticated users to retrieve the '_srfm_email_notification' post meta, which stores configuration data for email notifications. This data often includes vendor\u2011provided CRM or help desk drop\u2011box addresses, CC/BCC recipients, and notification templates. Exposure of this information can enable attackers to inject malicious data into downstream systems by manipulating these configurations.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in CISA's KEV catalog. The flaw is exploitable via unauthenticated HTTP requests that target the plugin\u2019s post meta endpoint, after the plugin sets the 'auth_callback' parameter to '__return_true', which bypasses normal authentication checks."}}}}, "created": "2025-11-13T09:52:03.570638+00:00", "updated": "2026-04-21T18:30:27.583325+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$sureforms", "wordpress", "wordpress$PRODUCT$wordpress"]}