CVE-2025-10732 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the SureForms – Drag and Drop Contact Form Builder WordPress plugin, versions up to 1.12.1. The flaw exists due to improper access control on the REST API endpoint '/wp-json/sureforms/v1/srfm-global-settings'. This endpoint exposes sensitive configuration data without verifying that the requesting user has sufficient privileges beyond contributor-level access. As a result, authenticated users with relatively low privileges can retrieve sensitive information including API keys for anti-bot services such as Google reCAPTCHA, Cloudflare Turnstile, and hCaptcha, as well as admin email addresses and other security-related form settings. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited scope of impact (confidentiality only), the requirement for authenticated access, and the ease of exploitation due to lack of authorization checks. No known public exploits have been reported yet. The exposure of these API keys and admin emails can facilitate further attacks such as bypassing anti-bot protections, phishing, or targeted social engineering. The vulnerability affects all plugin versions up to 1.12.1, and no official patches have been linked yet, indicating the need for immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a risk of sensitive information disclosure that could undermine the security posture of websites using the SureForms plugin. Disclosure of API keys for anti-bot services can allow attackers to bypass CAPTCHA protections, increasing the risk of automated attacks such as spam, brute force login attempts, or account takeover. Exposure of admin email addresses can facilitate phishing campaigns or targeted social engineering attacks against key personnel. While the vulnerability does not directly allow code execution or data modification, the leakage of security-related settings and credentials can be leveraged as a stepping stone for more severe attacks. Organizations relying on WordPress sites with contributor-level users should be particularly cautious, as these users can exploit the flaw without elevated privileges. The impact is heightened for sectors with high regulatory requirements for data protection, such as finance, healthcare, and government entities in Europe, where unauthorized disclosure of security configurations may violate compliance mandates. Additionally, the widespread use of WordPress in Europe means a significant number of sites could be affected, potentially impacting brand reputation and customer trust if exploited.

To mitigate CVE-2025-10732, European organizations should first verify if their WordPress installations use the SureForms plugin up to version 1.12.1. Immediate steps include restricting contributor-level user permissions to the minimum necessary and auditing user roles to remove unnecessary contributor access. Since no official patch is currently linked, administrators should consider disabling or uninstalling the SureForms plugin until a fixed version is released. Alternatively, web application firewalls (WAFs) can be configured to block or monitor requests to the vulnerable REST API endpoint '/wp-json/sureforms/v1/srfm-global-settings' from users without appropriate privileges. Monitoring logs for unusual access patterns to this endpoint can help detect exploitation attempts. Additionally, organizations should rotate any exposed API keys for Google reCAPTCHA, Cloudflare Turnstile, and hCaptcha as a precautionary measure. Implementing strict role-based access control (RBAC) policies and regularly reviewing plugin security advisories will further reduce risk. Finally, educating site administrators and contributors about the risks of privilege misuse and the importance of timely updates is critical.