SureForms – Drag and Drop Form Builder for WordPress < 1.12.1 – Missing Authorization to Authenticated (Contributor+) Form Creation | CVE 2025-10489 | Plugin Vulnerabilities

Description

The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it.

Affects Plugins

Fixed in 1.12.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6d03f316-542c-4128-b49d-fd2fd8609dd6

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Alex

Verified

No

WPVDB ID

de2c78df-2d3d-4590-9c4e-aef487b8e8ba

Timeline

Publicly Published

2025-09-19 (about 7 months ago)

Added

2025-09-19 (about 7 months ago)

Last Updated

2025-09-20 (about 7 months ago)

Other

Published

Title

Published

2024-01-10

Title

POST SMTP Mailer < 2.8.8 - Authorization Bypass via type connect-app API

Published

2025-10-21

Title

Litho Addons <= 3.4 - Missing Authorization

Published

2024-04-22

Title

Podlove Podcast Publisher < 4.0.15 - Cross-Site Request Forgery

Published

2024-04-17

Title

WPC Frequently Bought Together for WooCommerce < 7.0.4 - Missing Authorization

Published

2024-08-16

Title

UsersWP < 1.2.16 - Missing Authorization