Brainstormforce

Sureforms

12 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.2

CVE-2025-14855

  • EPSS 0.16%
  • Veröffentlicht 21.12.2025 07:31:10
  • Zuletzt bearbeitet 23.12.2025 14:51:52

The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthent...

5.3

CVE-2025-12535

  • EPSS 0.1%
  • Veröffentlicht 19.11.2025 06:45:25
  • Zuletzt bearbeitet 19.11.2025 19:14:59

The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'w...

5.3

CVE-2025-12536

  • EPSS 0.05%
  • Veröffentlicht 13.11.2025 03:27:39
  • Zuletzt bearbeitet 14.11.2025 16:42:03

The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__retu...

4.3

CVE-2025-10732

  • EPSS 0.05%
  • Veröffentlicht 14.10.2025 05:24:58
  • Zuletzt bearbeitet 14.10.2025 19:36:29

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/suref...

4.3

CVE-2025-10489

  • EPSS 0.04%
  • Veröffentlicht 20.09.2025 04:27:55
  • Zuletzt bearbeitet 22.09.2025 21:23:01

The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all v...

5.8

CVE-2025-5921

Exploit
  • EPSS 0.09%
  • Veröffentlicht 01.08.2025 06:00:02
  • Zuletzt bearbeitet 06.08.2025 16:48:59

The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users.

8.1

CVE-2025-6691

Medienbericht
  • EPSS 0.54%
  • Veröffentlicht 09.07.2025 05:23:39
  • Zuletzt bearbeitet 11.07.2025 21:22:46

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This mak...

7.5

CVE-2025-6742

  • EPSS 0.69%
  • Veröffentlicht 09.07.2025 05:23:39
  • Zuletzt bearbeitet 11.07.2025 21:21:48

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on t...

3.5

CVE-2025-3513

Exploit
  • EPSS 0.17%
  • Veröffentlicht 02.05.2025 06:15:48
  • Zuletzt bearbeitet 28.05.2025 16:02:00

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disal...

3.5

CVE-2025-3514

Exploit
  • EPSS 0.17%
  • Veröffentlicht 02.05.2025 06:15:48
  • Zuletzt bearbeitet 28.05.2025 16:01:47

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disal...