PHP Object Injection Vulnerability in SureForms Drag and Drop Form Builder for WordPress
CVE-2025-6742

7.5HIGH

What is CVE-2025-6742?

The SureForms – Drag and Drop Form Builder plugin for WordPress is susceptible to PHP Object Injection due to improper handling of file paths in the 'delete_entry_files()' function. This vulnerability affects all versions up to 1.7.3, allowing unauthenticated attackers to exploit this flaw to inject PHP objects. Although there is currently no known payload chain in the vulnerable software, its presence in conjunction with other installed plugins or themes that have exploitable payload chains could lead to severe consequences. If a POP chain exists, attackers could potentially delete arbitrary files, access sensitive data, or execute unauthorized code.

Affected Version(s)

SureForms – Drag and Drop Form Builder for WordPress 0.0 <= 0.0.13

SureForms – Drag and Drop Form Builder for WordPress 1.0 <= 1.0.6

SureForms – Drag and Drop Form Builder for WordPress 1.1 <= 1.1.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Tan Phat
.