CVE-2024-12713

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3215338/sureforms/tags/1.2.3/inc/export.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/412d5fa7-08fc-402a-bcac-b2dff87de861?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:brainstormforce:sureforms:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2025-01-08 04:15

Updated : 2025-07-11 21:23

NVD link : CVE-2024-12713

Mitre link : CVE-2024-12713

CVE.ORG link : CVE-2024-12713

JSON object : View

Products Affected

brainstormforce

sureforms

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-12713", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-01-08T04:15:06.967", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3215338/sureforms/tags/1.2.3/inc/export.php", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/412d5fa7-08fc-402a-bcac-b2dff87de861?source=cve", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The SureForms \u2013 Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to."}, {"lang": "es", "value": "El complemento SureForms \u2013 Drag y Drop Form Builder para WordPress para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n en todas las versiones hasta la 1.2.2 incluida a trav\u00e9s de la funci\u00f3n handle_export_form() debido a una verificaci\u00f3n de capacidad faltante. Esto permite que atacantes no autenticados exporten datos de publicaciones protegidas con contrase\u00f1a, privadas o en borrador a las que no deber\u00edan tener acceso."}], "lastModified": "2025-07-11T21:23:11.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:brainstormforce:sureforms:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "CC1BC3D1-5B03-4DE6-8204-E8E1DBA88F03", "versionEndExcluding": "1.2.3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}