CVE-2025-12536 is a vulnerability in the SureForms WordPress plugin, which is widely used for creating contact forms, custom forms, calculators, and other interactive elements on websites. The issue arises from the plugin's registration of the '_srfm_email_notification' post meta with an 'auth_callback' parameter set to '__return_true'. This configuration effectively disables authentication checks for accessing this metadata, allowing any unauthenticated user to retrieve sensitive information. The exposed data typically includes email notification configurations such as vendor-provided CRM or help desk email addresses, CC and BCC recipients, and notification templates. While the vulnerability does not permit modification or deletion of data, the leakage of these details can be leveraged by attackers to craft targeted phishing campaigns, inject malicious content into notification workflows, or abuse the exposed email addresses for spam and social engineering attacks. The vulnerability affects all versions of SureForms up to and including 1.13.1. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the ease of exploitation (no authentication or user interaction required) but limited impact on confidentiality (only partial sensitive information exposure) and no impact on integrity or availability. No known exploits have been reported in the wild as of the publication date. The plugin is popular among small and medium-sized businesses using WordPress, making the attack surface significant. The vulnerability highlights the risk of improper access control in WordPress plugin metadata registration, emphasizing the need for secure coding practices and thorough security reviews in plugin development.

For European organizations, the exposure of email notification configurations can lead to several risks. Attackers gaining access to CRM and help desk email addresses can conduct targeted phishing or spear-phishing campaigns, potentially compromising employee credentials or customer data. The leakage of CC/BCC recipients and notification templates can reveal internal communication structures and sensitive operational workflows, increasing the risk of social engineering attacks. Additionally, malicious actors could abuse the exposed email configurations to inject harmful data into downstream systems, potentially disrupting customer support or sales processes. While the vulnerability does not directly compromise system integrity or availability, the indirect effects on confidentiality and trust can be significant, especially for organizations handling sensitive customer information or regulated data under GDPR. The ease of exploitation without authentication means that attackers can scan and harvest this information at scale, increasing the likelihood of widespread abuse. Organizations relying on SureForms for critical customer interaction channels may face reputational damage and regulatory scrutiny if exploited.

European organizations using the SureForms plugin should immediately verify their plugin version and upgrade to a patched release once available from Brainstormforce. In the absence of an official patch, organizations can implement temporary mitigations such as restricting access to the WordPress REST API endpoints or post meta data via web application firewalls (WAFs) or custom access control rules. Administrators should audit their email notification configurations to remove or obfuscate sensitive addresses and minimize exposure. Monitoring web server logs for unusual access patterns targeting the '_srfm_email_notification' metadata can help detect exploitation attempts. Additionally, organizations should educate staff about phishing risks and implement strong email filtering and multi-factor authentication to mitigate downstream impacts. Regular security assessments of WordPress plugins and adherence to the principle of least privilege for plugin metadata access are recommended to prevent similar issues. Finally, engaging with Brainstormforce support and following security advisories will ensure timely updates and awareness.