SureForms < 1.13.2 – Unauthenticated Sensitive Information Exposure | CVE 2025-12536 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Sensitive Information Exposure via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems.

Affects Plugins

Fixed in 1.13.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

2eae8a6f-5b66-4891-b022-73b06061fd02

Timeline

Publicly Published

2025-11-12 (about 6 months ago)

Added

2025-11-12 (about 6 months ago)

Last Updated

2025-11-12 (about 6 months ago)

Other

Published

Title

Published

2026-03-30

Title

Gravity SMTP < 2.1.5 - Unauthenticated Sensitive Information Exposure via REST API

Published

2024-03-05

Title

Backup and Restore WordPress < 1.50 - Unauthenticated Sensitive Data Exposure

Published

2025-04-11

Title

Developer Toolbar <= 1.0.3 - Unauthenticated Information Exposure

Published

2022-08-01

Title

Duplicator < 1.4.7.1 - Unauthenticated System Information Disclosure

Published

2022-08-01

Title

Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing