71 matches found
EUVD-2025-34138
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint...
CVE-2025-10732 SureForms – Drag and Drop Form Builder for WordPress <= 1.12.1 - Missing Authorization to Authenticated (Contributor+) Information Disclosure
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint...
CVE-2025-10732
The CVE concerns the WordPress plugin SureForms – Drag and Drop Form Builder for WordPress. Affected versions: all up to 1.12.1. Root cause: improper access control on the REST endpoint /wp-json/sureforms/v1/srfm-global-settings, allowing authenticated users with contributor-level access and abov...
CVE-2025-10732 SureForms – Drag and Drop Form Builder for WordPress <= 1.12.1 - Missing Authorization to Authenticated (Contributor+) Information Disclosure
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint...
WordPress plugin SureForms 安全漏洞
WordPress SureForms plugin is a visual form builder plugin designed for WordPress , support drag and drop operation , no programming foundation to quickly build responsive forms . An information disclosure vulnerability exists in the WordPress SureForms plugin, which stems from improper access...
WordPress SureForms – Drag and Drop Form Builder for WordPress plugin <= 1.12.1 - Missing Authorization to Authenticated (Contributor+) Information Disclosure vulnerability
Missing Authorization to Authenticated Contributor+ Information Disclosure vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin SureForms versions = 1.12.1...
EUVD-2025-13229
Malicious code in bioql PyPI...
WordPress SureForms plugin < 1.9.1 - Admin+ Stored XSS vulnerability
Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin SureForms versions 1.9.1...
CVE-2025-8282
The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks...
CVE-2025-8282 SureForms < 1.9.1 - Admin+ Stored XSS
The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks...
CVE-2025-8282
CVE-2025-8282 affects the SureForms WordPress plugin prior to 1.9.1. The issue is an input sanitization/escaping flaw in parameters output on pages, enabling stored Cross‑Site Scripting (XSS) for admin and higher-privilege users. Impact is admin users could inject malicious scripts into pages ren...
PT-2025-39146
Name of the Vulnerable Software and Affected Versions SureForms WordPress plugin versions prior to 1.9.1 Description The SureForms WordPress plugin does not properly sanitize and escape parameters when displaying them on a page. This could allow administrators and users with higher privileges to...
CVE-2025-10489
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the registerposttypes function in all versions up to, and including, 1.12.0. This makes it...
CVE-2025-10489
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the registerposttypes function in all versions up to, and including, 1.12.0. This makes it...
CVE-2025-10489
CVE-2025-10489 SureForms (WordPress) — Vulnerable to unauthorized form creation due to a missing capability check in register_post_types() for all versions up to 1.12.0. Authenticated attackers with Contributor-level access and above can create forms even when the UI blocks it. Impact per availab...
CVE-2025-10489 SureForms – Drag and Drop Form Builder for WordPress <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the registerposttypes function in all versions up to, and including, 1.12.0. This makes it...
CVE-2025-10489 SureForms – Drag and Drop Form Builder for WordPress <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the registerposttypes function in all versions up to, and including, 1.12.0. This makes it...
WordPress SureForms – Drag and Drop Form Builder for WordPress plugin <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation vulnerability
Missing Authorization to Authenticated Contributor+ Form Creation vulnerability discovered by Alex in WordPress Plugin SureForms versions = 1.12.0...
CVE-2025-5921
The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users...
CVE-2025-5921
The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users...