CVE-2025-12535

Name of the Vulnerable Software and Affected Versions SureForms plugin for WordPress versions up to and including 1.13.1

Description The SureForms plugin for WordPress is susceptible to a Cross-Site Request Forgery Bypass. This occurs because the plugin uses generic WordPress REST API nonces (wp rest) for unauthenticated users through the 'wp ajax nopriv rest-nonce' action, instead of form-specific nonces. This allows unauthenticated attackers to bypass CSRF protection on REST API endpoints that rely only on nonce verification without further authentication checks. Attackers can then trigger unauthorized actions, including the plugin’s post-submission hooks and potentially REST endpoints of other plugins.

Recommendations Update the SureForms plugin to a version newer than 1.13.1.