CVE-2025-12536: 
WordPress vulnerability analysis and mitigation

The SureForms plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2025-12536) affecting all versions up to and including 1.13.1. The vulnerability was disclosed on November 13, 2025 and stems from improper authorization settings in the 'srfmemail_notification' post meta registration (AttackerKB).

The vulnerability exists due to setting the 'authcallback' parameter to '_return_true' in the post meta registration, which effectively bypasses authentication checks. This misconfiguration allows unauthenticated users to access email notification metadata that should be restricted (AttackerKB).

Attackers can extract sensitive data including email notification configurations, vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates. This exposed information could be leveraged to inject malicious data into downstream systems or conduct further targeted attacks (AttackerKB).

Users should update to a version newer than 1.13.1 once available. Until then, website administrators should monitor for unauthorized access attempts to the email notification configurations and consider implementing additional access controls at the web application firewall level (AttackerKB).