SureForms Pro unauthenticated access control bypass fixed in 2.8.1

TL;DR - SureForms Pro (WordPress) <= 2.8.0 is missing an authorisation check on a privileged plugin action, reachable by anyone on the internet without authentication. Patch to 2.8.1.

What happened

SureForms Pro is a WordPress form-builder plugin. CVE-2026-42377 (CWE-862, missing authorisation) means an unauthenticated user can reach a plugin action that should require elevated access. No credentials needed. No novel exploit chain required.

This is the same WordPress pattern that keeps getting exploited at scale: internet-reachable plugin surfaces with missing authorisation. When the bug class is "unauthenticated user can do a privileged thing", you don't need anything clever.

Who is impacted

• WordPress sites running SureForms Pro at versions <= 2.8.0.
• Highest-risk deployments are publicly reachable sites where the plugin is installed and active - typical for marketing and lead-capture setups.
• Any environment where form-builder plugins touch sensitive data flows: PII submissions, webhook or API keys stored in plugin settings, admin email routing.

What to do now

• Apply the patch. Update SureForms Pro to at least 2.8.1.

  "Update the WordPress SureForms Pro Plugin to the latest available version (at least 2.8.1)."

• Inventory your WordPress fleet for SureForms Pro. Plugins are often installed outside normal dependency management - don't assume your tooling caught it.
• If you suspect the window before patching was exploited:
  • review WordPress access logs for suspicious unauthenticated requests to the plugin's endpoints
  • audit for unexpected configuration changes in the plugin and in WordPress admin
  • rotate any secrets the plugin could read: webhook tokens, SMTP credentials, API keys stored in plugin settings