File Deletion Vulnerability in SureForms Drag and Drop Form Builder for WordPress
CVE-2025-6691

8.1HIGH

What is CVE-2025-6691?

The SureForms – Drag and Drop Form Builder for WordPress plugin possesses a vulnerability that allows unauthorized users to delete arbitrary files from the server due to inadequate file path validation in the delete_entry_files() function. This flaw affects all versions up to and including 1.7.3, creating a path for potential remote code execution, especially if sensitive files such as wp-config.php are targeted. Organizations using this plugin should prioritize applying updates and implementing security measures to safeguard against exploitation.

Affected Version(s)

SureForms – Drag and Drop Form Builder for WordPress 0.0 <= 0.0.13

SureForms – Drag and Drop Form Builder for WordPress 1.0 <= 1.0.6

SureForms – Drag and Drop Form Builder for WordPress 1.1 <= 1.1.1

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Tan Phat
.