CVE-2025-10732 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the SureForms – Drag and Drop Contact Form Builder WordPress plugin, versions up to and including 1.12.1. The issue arises from improper access control on the REST API endpoint '/wp-json/sureforms/v1/srfm-global-settings', which is intended to provide global plugin settings. Due to missing authorization checks, any authenticated user with contributor-level permissions or higher can query this endpoint and retrieve sensitive configuration data. The exposed information includes API keys for third-party CAPTCHA services such as Google reCAPTCHA, Cloudflare Turnstile, and hCaptcha, as well as administrative email addresses and security-related form settings. These details are critical as they can be leveraged to bypass CAPTCHA protections, facilitate social engineering, or conduct further attacks against the WordPress site or its users. The vulnerability does not require user interaction beyond authentication and does not impact data integrity or availability directly. The CVSS v3.1 base score is 4.3, indicating a medium severity primarily due to the confidentiality impact and the requirement for authenticated access with low attack complexity. No public exploits have been reported, but the vulnerability poses a risk to any WordPress site using the affected plugin versions, especially those with multiple contributors or editors.

The primary impact of CVE-2025-10732 is the unauthorized disclosure of sensitive information, which can weaken the security posture of affected WordPress sites. Exposure of CAPTCHA API keys can allow attackers to circumvent anti-bot protections, increasing the risk of automated attacks such as spam, brute force login attempts, or account enumeration. Disclosure of admin email addresses can facilitate targeted phishing or social engineering campaigns. Additionally, leaked security-related form settings may reveal configuration weaknesses or enable attackers to craft more effective attacks. While this vulnerability does not directly compromise data integrity or availability, the information disclosed can serve as a stepping stone for more severe attacks. Organizations with multiple contributors or editors are at higher risk since these roles have sufficient privileges to exploit the flaw. The impact is particularly significant for websites handling sensitive user data or relying heavily on CAPTCHA for security. Failure to address this vulnerability could lead to reputational damage, increased attack surface, and potential downstream compromises.

To mitigate CVE-2025-10732, organizations should first update the SureForms plugin to a version where the vulnerability is patched once available. In the absence of an official patch, administrators should restrict contributor-level and higher access to trusted users only, minimizing the number of accounts that can exploit the flaw. Implementing strict role-based access control (RBAC) policies can reduce exposure. Additionally, consider disabling or restricting access to the vulnerable REST API endpoint via web application firewall (WAF) rules or custom server configurations to block unauthorized API calls. Rotate any exposed API keys for CAPTCHA services immediately to invalidate compromised credentials. Monitoring logs for unusual API access patterns or contributor activity can help detect exploitation attempts. Finally, educate site administrators and contributors about the risk and encourage prompt reporting of suspicious behavior. Combining these measures will reduce the likelihood and impact of exploitation until an official patch is applied.