CVE-2025-3471: SureForms < 1.4.4 - Contributor+ Settings Update
First published: Wed Apr 30 2025(Updated: )
The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SureForms | <1.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-3471?
CVE-2025-3471 has a medium severity rating as it allows unauthorized users to update settings via the REST API.
How do I fix CVE-2025-3471?
To fix CVE-2025-3471, update the SureForms WordPress plugin to version 1.4.4 or later.
Who is affected by CVE-2025-3471?
Users with the SureForms WordPress plugin version lower than 1.4.4, especially those with Contributor roles or higher, are affected by CVE-2025-3471.
What versions of the SureForms WordPress plugin are vulnerable to CVE-2025-3471?
Versions of the SureForms WordPress plugin prior to 1.4.4 are vulnerable to CVE-2025-3471.
What kind of attack can CVE-2025-3471 enable?
CVE-2025-3471 can enable users with insufficient privileges to modify plugin settings through the REST API.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/title
- agent/type
- agent/softwarecombine
- agent/author
- agent/source
- collector/nvd-api
- source/NVD
- agent/severity
- agent/last-modified-date
- agent/event
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/sureforms
- canonical/sureforms