CVE-2025-10489
BaseFortify
Publication date: 2025-09-20
Last updated on: 2025-09-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | sureforms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Update the SureForms WordPress plugin to version 1.12.1 or later, which restricts the capability to create and manage forms to users with the 'manage_options' permission (typically administrators). This update modifies the custom post type registration to enforce proper capability checks, preventing Contributor-level users from unauthorized form creation. [1]
Can you explain this vulnerability to me?
This vulnerability in the SureForms WordPress plugin allows authenticated users with Contributor-level access or higher to create forms even though the user interface prohibits it. This happens because the plugin lacks a proper capability check in the register_post_types() function, enabling unauthorized creation of forms.
How can this vulnerability impact me? :
The vulnerability can allow users with lower privileges (Contributor-level) to create forms without proper authorization. This could lead to unauthorized content being added to the website, potentially causing management issues or misuse of the form functionality.