CVE-2025-12536 is a vulnerability identified in the SureForms WordPress plugin, which is widely used for creating contact forms, custom forms, and calculators. The issue lies in the handling of the '_srfm_email_notification' post meta data, where the 'auth_callback' parameter is set to '__return_true'. This configuration effectively disables authorization checks, allowing any unauthenticated user to retrieve sensitive email notification configurations. These configurations often contain private information such as vendor CRM or help desk email addresses, CC and BCC recipients, and notification templates. Exposure of this data can facilitate further attacks, including phishing campaigns or injection of malicious content into downstream systems that process these notifications. The vulnerability affects all versions up to and including 1.13.1 of SureForms. The CVSS score is 5.3 (medium), reflecting the vulnerability's network accessibility without authentication, low complexity, and impact limited to confidentiality without affecting integrity or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on October 30, 2025, and published on November 13, 2025. The root cause is a CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) due to improper authorization logic in the plugin's metadata API. Organizations using SureForms should be aware of this exposure and monitor for updates or patches from Brainstormforce.

For European organizations, the exposure of sensitive email notification metadata can lead to several risks. Confidential information such as CRM and help desk email addresses can be harvested by attackers for targeted phishing or social engineering attacks, increasing the likelihood of credential theft or fraud. Additionally, knowledge of CC/BCC recipients and notification templates can enable attackers to craft more convincing malicious emails or inject harmful data into automated workflows that rely on these notifications. While the vulnerability does not directly compromise system integrity or availability, the leakage of private information can undermine trust and lead to compliance issues under GDPR, especially if personal data is involved. Small and medium enterprises (SMEs) that rely on SureForms for customer interaction are particularly vulnerable, as they may lack robust monitoring or incident response capabilities. The ease of exploitation without authentication means attackers can probe vulnerable sites at scale, increasing the attack surface. Although no active exploits are known, the potential for abuse in phishing campaigns or supply chain attacks targeting CRM systems is significant.

Immediate mitigation involves restricting access to the '_srfm_email_notification' post meta endpoint by implementing custom authorization callbacks that enforce user authentication and role-based access controls. Until an official patch is released by Brainstormforce, administrators should consider disabling the SureForms plugin if it is not critical or replacing it with alternative plugins that do not exhibit this vulnerability. Monitoring web server logs for unusual access patterns to metadata endpoints can help detect exploitation attempts. Organizations should also audit their email notification configurations to minimize sensitive data exposure and ensure that templates do not include unnecessary private information. Applying Web Application Firewall (WAF) rules to block unauthorized access to WordPress REST API endpoints related to post meta can provide an additional layer of defense. Once a patch is available, prompt updating of the plugin is essential. Finally, educating staff about phishing risks and maintaining robust email security controls will mitigate downstream risks from exposed information.