CVE-2025-12536 is a vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) affecting the SureForms WordPress plugin, which is used for creating contact forms, custom forms, calculators, and more. The issue arises from the plugin's registration of the '_srfm_email_notification' post meta with an 'auth_callback' parameter set to '__return_true'. This configuration disables authentication checks, allowing any unauthenticated user to access sensitive post meta data related to email notifications. These metadata entries often contain sensitive information such as vendor-provided CRM or help desk email addresses, CC and BCC recipients, and notification templates. Exposure of this data can facilitate further attacks, including social engineering, phishing campaigns, or injection of malicious content into systems that process these notifications. The vulnerability affects all versions of SureForms up to and including 1.13.1. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. While no exploits are currently known in the wild, the vulnerability's nature and ease of exploitation make it a significant risk for affected sites. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention by site administrators.

The primary impact of CVE-2025-12536 is the unauthorized disclosure of sensitive email notification metadata from WordPress sites using the SureForms plugin. This exposure can compromise confidentiality by leaking internal email addresses, CRM endpoints, and notification templates. Attackers can leverage this information to craft targeted phishing attacks, impersonate legitimate communication channels, or inject malicious payloads into notification workflows, potentially leading to further compromise of downstream systems. Although the vulnerability does not directly affect data integrity or availability, the indirect consequences of information leakage can be severe, including reputational damage, data breaches, and increased attack surface. Organizations relying on SureForms for customer interaction or internal workflows are at risk, particularly those handling sensitive customer or business data. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and exploitation attempts once publicly known.

To mitigate CVE-2025-12536, organizations should first verify if they are running any version of the SureForms plugin up to 1.13.1 and plan immediate updates once a patched version is released by Brainstormforce. In the absence of an official patch, administrators can implement temporary mitigations such as restricting access to the '_srfm_email_notification' post meta via custom code that enforces proper authentication and authorization checks. This can be achieved by overriding the 'auth_callback' parameter to require at least authenticated users or specific roles. Additionally, web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting this metadata endpoint. Regularly auditing plugin configurations and metadata exposure on WordPress sites is recommended to identify and remediate similar issues proactively. Monitoring for unusual access patterns or data exfiltration attempts related to email notification metadata can also help detect exploitation attempts early. Finally, educating site administrators about the risks of exposing sensitive metadata and encouraging minimal data retention in notification templates can reduce potential impact.