PHP Object Injection Vulnerability in SureForms Drag and Drop Form Builder for WordPress
CVE-2025-6742
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2025
What is CVE-2025-6742?
The SureForms β Drag and Drop Form Builder plugin for WordPress is susceptible to PHP Object Injection due to improper handling of file paths in the 'delete_entry_files()' function. This vulnerability affects all versions up to 1.7.3, allowing unauthenticated attackers to exploit this flaw to inject PHP objects. Although there is currently no known payload chain in the vulnerable software, its presence in conjunction with other installed plugins or themes that have exploitable payload chains could lead to severe consequences. If a POP chain exists, attackers could potentially delete arbitrary files, access sensitive data, or execute unauthorized code.
Affected Version(s)
SureForms β Drag and Drop Form Builder for WordPress 0.0 <= 0.0.13
SureForms β Drag and Drop Form Builder for WordPress 1.0 <= 1.0.6
SureForms β Drag and Drop Form Builder for WordPress 1.1 <= 1.1.1