CVE-2025-10732: CWE-862 Missing Authorization in brainstormforce SureForms – Contact Form, Payment Form & Other Custom Form Builder
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.
AI Analysis
Technical Summary
The SureForms – Drag and Drop Form Builder for WordPress plugin contains an authorization bypass vulnerability (CWE-862) in the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. Authenticated attackers with contributor-level privileges or above can exploit this flaw to retrieve sensitive configuration data, including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings. This vulnerability affects all versions up to and including 1.12.1. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity and requiring privileges but no user interaction. A patch is available to remediate the issue.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive information to authenticated users with contributor-level access or higher. This could lead to potential misuse of API keys and exposure of administrative contact information. There is no indication of impact on data integrity or system availability. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch is available for this vulnerability. Users of the SureForms plugin should apply the official update to version 1.12.2 or later as soon as possible to remediate the authorization bypass issue. Until patched, restrict contributor-level access to trusted users only. No other vendor advisory details are provided, so check the vendor's official site for the latest patch and guidance.
CVE-2025-10732: CWE-862 Missing Authorization in brainstormforce SureForms – Contact Form, Payment Form & Other Custom Form Builder
Description
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The SureForms – Drag and Drop Form Builder for WordPress plugin contains an authorization bypass vulnerability (CWE-862) in the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. Authenticated attackers with contributor-level privileges or above can exploit this flaw to retrieve sensitive configuration data, including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings. This vulnerability affects all versions up to and including 1.12.1. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity and requiring privileges but no user interaction. A patch is available to remediate the issue.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive information to authenticated users with contributor-level access or higher. This could lead to potential misuse of API keys and exposure of administrative contact information. There is no indication of impact on data integrity or system availability. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch is available for this vulnerability. Users of the SureForms plugin should apply the official update to version 1.12.2 or later as soon as possible to remediate the authorization bypass issue. Until patched, restrict contributor-level access to trusted users only. No other vendor advisory details are provided, so check the vendor's official site for the latest patch and guidance.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-09-19T14:28:48.257Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68ede1c61a06eb79bea0b465
Added to database: 10/14/2025, 5:38:14 AM
Last enriched: 4/9/2026, 9:02:35 AM
Last updated: 5/10/2026, 1:21:26 PM
Views: 216
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.