CVE-2025-10489 is a vulnerability identified in the WordPress plugin SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more, developed by Brainstormforce. The flaw arises from a missing authorization check in the plugin's implementation of the register_post_types() function. Specifically, the plugin fails to properly verify user capabilities before allowing the creation of new forms. This vulnerability affects all versions up to and including 1.12.0. An authenticated user with Contributor-level privileges or higher can exploit this issue to create new forms despite the user interface explicitly restricting this action. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system does not enforce proper access control checks. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based (remote), requires low attack complexity, and privileges at the level of an authenticated contributor, but does not impact confidentiality or availability, only integrity to a limited extent. There is no user interaction required, and the scope remains unchanged. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability could be leveraged by malicious insiders or compromised contributor accounts to bypass intended restrictions and create unauthorized forms, potentially leading to unauthorized data collection or manipulation within the WordPress environment.

For European organizations using WordPress websites with the SureForms plugin installed, this vulnerability poses a risk of unauthorized form creation by users who have contributor-level access or higher. Although the impact on confidentiality and availability is minimal, the integrity of the website's content and data collection processes can be compromised. Attackers could create malicious forms to harvest sensitive user data, conduct phishing campaigns, or inject misleading information. This can damage organizational reputation, lead to data privacy violations under GDPR, and potentially result in regulatory penalties. Since WordPress is widely used across Europe for business, governmental, and non-profit websites, the risk is non-negligible. The vulnerability is particularly concerning for organizations with multiple content contributors or less stringent user access management, where contributor accounts may be more common. The absence of user interaction requirement and the low complexity of exploitation increase the likelihood of misuse once an attacker gains contributor access. However, the need for authenticated access limits the threat to insiders or compromised accounts rather than anonymous external attackers.

European organizations should immediately audit their WordPress installations to identify the presence of the SureForms plugin and verify the version in use. Until an official patch is released, administrators should consider temporarily restricting contributor-level permissions or disabling the plugin if feasible. Implement strict user access controls and regularly review contributor accounts to ensure only trusted users have such privileges. Employ multi-factor authentication (MFA) for all authenticated users to reduce the risk of account compromise. Monitor logs for unusual form creation activities and set up alerts for any new forms created by contributors. Additionally, consider implementing a Web Application Firewall (WAF) with custom rules to detect and block unauthorized form creation attempts. Once a patch becomes available, prioritize its deployment. For organizations with high security requirements, consider isolating or sandboxing form creation capabilities or migrating to alternative form plugins with stronger access controls.