PHP Object Injection Vulnerability in SureForms Drag and Drop Form Builder for WordPress
CVE-2025-6742

7.5HIGH

Key Information:

Vendor: WordPress
Status: Sureforms – Drag And Drop Form Builder For WordPress
Vendor: CVE Published:; 9 July 2025

What is CVE-2025-6742?

The SureForms – Drag and Drop Form Builder plugin for WordPress is susceptible to PHP Object Injection due to improper handling of file paths in the 'delete_entry_files()' function. This vulnerability affects all versions up to 1.7.3, allowing unauthenticated attackers to exploit this flaw to inject PHP objects. Although there is currently no known payload chain in the vulnerable software, its presence in conjunction with other installed plugins or themes that have exploitable payload chains could lead to severe consequences. If a POP chain exists, attackers could potentially delete arbitrary files, access sensitive data, or execute unauthorized code.

Affected Version(s)

SureForms – Drag and Drop Form Builder for WordPress 0.0 <= 0.0.13

SureForms – Drag and Drop Form Builder for WordPress 1.0 <= 1.0.6

SureForms – Drag and Drop Form Builder for WordPress 1.1 <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/sureforms/

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2025
Vulnerability Reserved
Jun 26, 2025

Credit

Nguyen Tan Phat