CVE-2025-10732 – The SureForms WordPress plugin has an access co... (How to Fix)

Q: What is the severity of CVE-2025-10732?

CVE-2025-10732 has a CVSS score of 4.3 (MEDIUM). The SureForms WordPress plugin has an access control vulnerability in its REST API endpoint that allows authenticated users with contributor-level permissions or higher to retrieve sensitive configuration data. This includes API keys for security services like Google reCAPTCHA, Cloudflare Turnstile, and hCaptcha, plus admin email addresses and security settings. All WordPress sites using SureForms versions up to 1.12.1 are affected.

📋 TL;DR

The SureForms WordPress plugin has an access control vulnerability in its REST API endpoint that allows authenticated users with contributor-level permissions or higher to retrieve sensitive configuration data. This includes API keys for security services like Google reCAPTCHA, Cloudflare Turnstile, and hCaptcha, plus admin email addresses and security settings. All WordPress sites using SureForms versions up to 1.12.1 are affected.

💻 Affected Systems

Products:

SureForms – Drag and Drop Form Builder for WordPress

Versions: All versions up to and including 1.12.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with SureForms plugin enabled. Vulnerability exists in default configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain contributor access, extract API keys and admin emails, then use these to bypass security controls, impersonate administrators, or compromise integrated third-party services.

🟠

Likely Case

Malicious contributors or compromised accounts leak sensitive API keys and configuration data, potentially allowing CAPTCHA bypass or unauthorized access to integrated services.

🟢

If Mitigated

With proper access controls, only administrators can access sensitive settings, limiting exposure even if lower-privileged accounts are compromised.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access with contributor privileges or higher. Exploitation involves sending GET requests to the vulnerable REST API endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.12.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3368400%40sureforms&new=3368400%40sureforms&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find SureForms plugin. 4. Click 'Update Now' if update available. 5. If no update shows, manually download latest version from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Restrict Contributor Access

all

Temporarily remove contributor-level access to WordPress site until patch can be applied.

Block REST API Endpoint

Apache

Use web application firewall or .htaccess to block access to /wp-json/sureforms/v1/srfm-global-settings endpoint.

# Add to .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-json/sureforms/v1/srfm-global-settings - [F,L]
</IfModule>

🧯 If You Can't Patch

Disable SureForms plugin completely until patch can be applied.
Implement strict access controls and monitor for suspicious API requests to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → SureForms version. If version is 1.12.1 or lower, system is vulnerable.

Check Version:

wp plugin list --name=sureforms --field=version

Verify Fix Applied:

After updating, verify plugin version is higher than 1.12.1. Test authenticated API access to /wp-json/sureforms/v1/srfm-global-settings with contributor account - should return access denied.

📡 Detection & Monitoring

Log Indicators:

Multiple GET requests to /wp-json/sureforms/v1/srfm-global-settings from non-admin users
Unusual API access patterns from contributor-level accounts

Network Indicators:

HTTP 200 responses containing API keys or sensitive configuration data from the vulnerable endpoint

SIEM Query:

source="wordpress.log" AND uri_path="/wp-json/sureforms/v1/srfm-global-settings" AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2025-10732

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.05% exploit probability (14.8th percentile)

Published: October 14, 2025

Last Updated: October 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10732, you might also want to check these: