CVE-2025-10732

MEDIUM

WordPress SureForms <1.12.2 - Info Disclosure

Title source: llm

Description

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/sureforms/tags/1.12.0/inc/global-settings/global-settings.php#L314

Product

https://plugins.trac.wordpress.org/browser/sureforms/tags/1.12.0/inc/global-settings/global-settings.php#L64

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3368400%40sureforms&new=3368400%40sureforms&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f30ae90a-54fb-4c55-a6ed-9c411a6997fb?source=cve

Scores

CVSS v3 4.3

EPSS 0.0023

EPSS Percentile 13.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

brainstormforce/SureForms – Contact Form, Payment Form & Other Custom Form Builder < 1.12.1

brainstormforce/SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more < 1.12.1

Published Oct 14, 2025

Tracked Since Feb 18, 2026