A severe security flaw has been discovered in the SureForms Drag and Drop Form Builder for WordPress plugin, placing over 200,000 WordPress sites at significant risk of full site takeover.
The vulnerability, identified as CVE-2025-6691 and carrying a CVSS rating of 8.8, allows unauthenticated attackers to exploit a logic flaw that can result in the arbitrary deletion of crucial files on the affected server, including the critical wp-config.php file.
The security gap was responsibly reported by researcher Phat RiO BlueRock through the Wordfence Bug Bounty Program, earning a $4,050 bounty, and highlights once again how insecure input validation can expose the entire WordPress ecosystem.
Remote Code Execution
The vulnerability stems from insufficient file path validation within the plugin’s delete_entry_files() function, present in all versions up to and including 1.7.3.
Attackers can submit malformed form data that injects arbitrary file paths, exploiting the plugin’s functionality that automatically deletes files linked to a form entry when an administrator deletes the submission.
Because there were no effective checks to restrict file deletions to the uploads directory or specific file types, a maliciously crafted submission could specify any file on the server such as wp-config.php.
Deleting this vital configuration file forces WordPress into an initial setup state, which could be abused by attackers to gain control over the website, potentially leading to remote code execution.
The vulnerability does not require authentication, meaning any threat actor with access to the public site can launch an exploit, and relies only on an administrator eventually deleting the malicious form submission.
As such, it poses a compelling threat vector, considering that site admins often clear what appear to be spammy or fraudulent form submissions.
Rapid Response
Wordfence promptly validated the issue and provided firewall protection for its Premium, Care, and Response users as of June 26, 2025, with a rollout for free users scheduled for July 26, 2025.
The plugin developer, Brainstorm Force, was contacted on June 25 and responded swiftly. In a model display of responsible disclosure, Brainstorm Force released patched version 1.7.4, along with backported security fixes spanning eight previous versions to maximize user protection.
WordPress plugin maintainers also coordinated a forced update, mitigating the exploitation window for most active installations.
Users are strongly urged to verify that their SureForms installation is updated to at least one of the patched versions: 1.7.4, 1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, or 0.0.14.
The patch addresses the vulnerability by restricting file deletion only to files residing within the specific SureForms subdirectory in the uploads folder, preventing attackers from targeting arbitrary files elsewhere on the server.
The developers have indicated additional hardening improvements are under consideration for future releases.
This vulnerability draws parallels to recent issues seen in other WordPress plugins and serves as a critical lesson for plugin developers to consistently validate file paths and restrict file operations to secure directories.
With Wordfence and Brainstorm Force exemplifying rapid, transparent, and effective vulnerability management, the incident underscores the importance of community-driven security and defense-in-depth strategies for the broader WordPress platform.
Site owners are advised to update their plugins without delay and regularly audit installed software for similar risks to mitigate the growing threat landscape targeting web applications.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
