SureForms Plugin Vulnerability – CVE-2025-6691

A high-severity vulnerability (CVSS 8.1) has been identified in the SureForms – Drag and Drop Form Builder for WordPress plugin, affecting all versions up to and including 1.7.3. If you’re using this plugin, your site may be exposed to serious risk, even without any users logged in.

Arbitrary File Deletion Vulnerability (CVE-2025-6691)

The vulnerability stems from insufficient file path validation in the delete_entry_files() function. This flaw allows unauthenticated attackers to delete any file on the server, including critical WordPress core files like wp-config.php.

Once such a file is deleted, the site can enter a broken state or even open the door to remote code execution, depending on server configuration and additional file manipulation.

What Are the Risks?

• Full website compromise if key configuration files are deleted.
• Malware or backdoor installation via chained attacks.
• Downtime or data loss from file deletion or corruption.

What Should You Do?

• Update the SureForms plugin immediately to the latest version.
• Check file integrity, especially wp-config.php, .htaccess, and other sensitive files.
• Consider implementing file change monitoring or a Web Application Firewall (WAF).
• Review server logs for any suspicious unauthenticated requests.

Need Help Securing Your Site?

If you're unsure whether your site has been affected or want a security audit, contact me today. I can help assess vulnerabilities, clean up compromised files, and strengthen your overall WordPress security posture.