The SureForms plugin for WordPress, which provides contact forms, custom form building, and calculators, suffers from a CSRF vulnerability identified as CVE-2025-12535. The root cause lies in the plugin's distribution of generic WordPress REST API nonces (wp_rest) to unauthenticated users through the 'wp_ajax_nopriv_rest-nonce' action. While the plugin requires support for unauthenticated form submissions, it erroneously uses generic REST nonces instead of form-specific nonces. Nonces in WordPress are intended to prevent CSRF by ensuring requests originate from legitimate users; however, generic nonces distributed to unauthenticated users can be exploited to bypass this protection. Attackers can craft malicious requests that trigger REST API endpoints relying solely on nonce verification without additional authentication, enabling unauthorized actions such as invoking SureForms' post-submission hooks. This flaw could also be leveraged to affect other plugins exposing REST endpoints that rely on similar nonce-based protections. The vulnerability affects all versions up to and including 1.13.1 of SureForms. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, but integrity impact is present. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly.

This vulnerability allows unauthenticated attackers to perform unauthorized actions via the WordPress REST API by bypassing CSRF protections. The primary impact is on data integrity, as attackers can trigger post-submission hooks that may modify data or state within the SureForms plugin or other plugins relying on similar nonce mechanisms. Although confidentiality and availability are not directly affected, unauthorized data manipulation can lead to misinformation, spam submissions, or unintended side effects within the website's functionality. Organizations running WordPress sites with SureForms installed are at risk of automated or targeted attacks exploiting this flaw to compromise form handling processes, potentially undermining user trust and site reliability. The vulnerability's ease of exploitation (no authentication or user interaction required) increases risk, especially for high-traffic or publicly accessible sites. While no known exploits are reported, the public disclosure and moderate CVSS score suggest attackers may develop exploits, increasing the threat over time.

Administrators should immediately update the SureForms plugin to a version that addresses this vulnerability once available. Until a patch is released, practical mitigations include disabling the 'wp_ajax_nopriv_rest-nonce' action to prevent unauthenticated nonce distribution or implementing additional server-side validation that enforces form-specific nonces rather than generic REST nonces. Employing Web Application Firewalls (WAFs) with rules to detect and block suspicious REST API requests can reduce exploitation risk. Site owners should audit other plugins for similar nonce misuse and ensure REST API endpoints enforce proper authentication and authorization beyond nonce checks. Monitoring logs for unusual REST API activity and restricting REST API access to authenticated users where feasible can further mitigate risk. Educating developers about nonce best practices and avoiding generic nonce exposure to unauthenticated users is critical for long-term security.