VYPR

Sureforms

by WordPress

Source repositories

CVEs (13)

  • CVE-2026-4987HigMar 28, 2026
    risk 0.42cvss 7.5epss 0.00

    The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on…

  • CVE-2025-14855HigDec 21, 2025
    risk 0.40cvss 7.2epss 0.00

    The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

  • CVE-2025-12535MedNov 19, 2025
    risk 0.34cvss 5.3epss 0.00

    The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_ajax_nopriv_rest-nonce'…

  • CVE-2025-12536MedNov 13, 2025
    risk 0.28cvss 5.3epss 0.01

    The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows…

  • CVE-2025-10732MedOct 14, 2025
    risk 0.28cvss 4.3epss 0.00

    The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings…

  • CVE-2025-8282LowSep 23, 2025
    risk 0.23cvss 3.5epss 0.00

    The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.

  • CVE-2025-10489MedSep 20, 2025
    risk 0.21cvss 4.3epss 0.00

    The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and…

  • CVE-2025-5921Aug 1, 2025
    risk 0.00cvss epss 0.00

    The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users.

  • CVE-2025-6691Jul 9, 2025
    risk 0.00cvss epss 0.01

    The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for…

  • CVE-2025-6742Jul 9, 2025
    risk 0.00cvss epss 0.00

    The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This…

  • CVE-2025-3514May 2, 2025
    risk 0.00cvss epss 0.00

    The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…

  • CVE-2025-3513May 2, 2025
    risk 0.00cvss epss 0.00

    The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…

  • CVE-2025-3471Apr 30, 2025
    risk 0.00cvss epss 0.00

    The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action