A significant security flaw has been identified in the SureForms WordPress plugin, a widely used drag-and-drop form builder installed on over 200,000 websites globally. This vulnerability, designated as CVE-2025-6691 with a Common Vulnerability Scoring System (CVSS) score of 8.8, enables unauthenticated attackers to delete arbitrary files on affected servers, including the pivotal `wp-config.php` file, thereby facilitating complete site takeover.
Understanding the Vulnerability
The SureForms plugin is designed to simplify form creation on WordPress sites. However, a critical flaw in its file handling mechanism has been discovered, allowing malicious actors to exploit form submissions without requiring authentication. This flaw resides in the plugin’s inadequate validation of file paths during form submission processing.
Specifically, the vulnerability stems from insufficient checks in the `prepare_submission_data()` function, which fails to properly validate user-supplied file paths. This oversight permits attackers to manipulate form submissions to include arbitrary file paths, even in forms without file upload fields. When administrators delete these submissions, the malicious file paths are processed, leading to the deletion of critical system files.
Mechanism of Exploitation
The attack exploits a weakness in the `delete_entry_files()` function within the `Entries_List_Table` class. This function is intended to clean up uploaded files when form submissions are deleted by administrators. However, it lacks essential validations, such as field type validation, file extension checks, and upload directory restriction verification.
The vulnerable code is as follows:
“`php
foreach ( $value as $file_url ) {
if ( empty( $file_url ) ) {
continue;
}
$file_path = Helper::convert_fileurl_to_filepath( urldecode( $file_url ) );
if ( file_exists( $file_path ) ) {
unlink( $file_path );
}
}
“`
In this code, attackers can manipulate form submissions to include arbitrary file paths. When administrators delete these submissions, the malicious file paths are processed, resulting in the deletion of critical system files, including the `wp-config.php` file.
Potential Impact
By successfully deleting the `wp-config.php` file, attackers can force the WordPress site into setup mode. This state allows them to establish their own database connection, effectively taking control of the entire website. Such a takeover can lead to unauthorized access to sensitive data, defacement of the website, and further exploitation of the server.
Discovery and Disclosure
This vulnerability was identified by security researcher Phat RiO from BlueRock through Wordfence’s Bug Bounty Program. The flaw was responsibly reported on June 21, 2025, highlighting the importance of collaborative efforts in identifying and mitigating security risks.
Affected Versions and Patch Release
The vulnerability affects all versions of SureForms up to and including 1.7.3. Recognizing the severity of the issue, Brainstorm Force, the developers of SureForms, released patches on June 30, 2025. The update implements proper path validation through the `delete_upload_file_from_subdir()` function, restricting file operations to the `sureforms` subdirectory.
Recommendations for Users
Users and administrators of websites utilizing the SureForms plugin are strongly advised to:
1. Update Immediately: Ensure that the plugin is updated to the latest version (post-1.7.3) to incorporate the security patches.
2. Review Site Integrity: Conduct thorough checks to ensure that no unauthorized changes have been made to the website.
3. Implement Security Best Practices: Regularly update all plugins and themes, use strong passwords, and consider implementing additional security measures such as two-factor authentication.
Broader Context of WordPress Plugin Vulnerabilities
This incident underscores a broader trend of vulnerabilities in WordPress plugins that can lead to significant security breaches. For instance, in August 2024, a critical flaw was discovered in the WPML plugin, affecting over a million websites. This vulnerability allowed remote code execution through server-side template injection attacks, emphasizing the need for vigilant plugin management. ([cybernews.com](https://cybernews.com/security/critical-wordpress-plugin-vulnerability-affect-million-websites/?utm_source=openai))
Similarly, in May 2024, the WordPress Automatic plugin was found to have a critical SQL injection vulnerability (CVE-2024-27956) with a CVSS score of 9.9. This flaw allowed unauthenticated attackers to create administrative user accounts and gain control of vulnerable sites. ([csa.gov.sg](https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-046?utm_source=openai))
These examples highlight the critical importance of maintaining up-to-date plugins and being aware of potential security risks associated with third-party extensions.
Conclusion
The discovery of the CVE-2025-6691 vulnerability in the SureForms plugin serves as a stark reminder of the potential risks associated with outdated or vulnerable plugins. Website administrators must prioritize regular updates and adhere to security best practices to safeguard their sites against such threats. By staying informed and proactive, the WordPress community can mitigate the risks posed by plugin vulnerabilities and ensure a more secure web environment.
