CVE-2025-6691
📋 TL;DR
The SureForms WordPress plugin has an arbitrary file deletion vulnerability that allows unauthenticated attackers to delete any file on the server. This affects all versions up to 1.7.3 and can lead to remote code execution by deleting critical files like wp-config.php. WordPress sites using the vulnerable plugin are at risk.
💻 Affected Systems
- SureForms – Drag and Drop Form Builder for WordPress
📦 What is this software?
Sureforms by Brainstormforce
Sureforms by Brainstormforce
Sureforms by Brainstormforce
Sureforms by Brainstormforce
Sureforms by Brainstormforce
Sureforms by Brainstormforce
Sureforms by Brainstormforce
Sureforms by Brainstormforce
Sureforms by Brainstormforce
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via remote code execution by deleting wp-config.php or other critical files, leading to data theft, defacement, or malware installation.
Likely Case
Site disruption or downtime from deletion of important files, potentially requiring full restoration from backups.
If Mitigated
Limited impact if proper file permissions and web application firewalls block exploitation attempts.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.4 or later
Vendor Advisory: https://wordpress.org/plugins/sureforms/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find SureForms plugin. 4. Click 'Update Now' if available. 5. If not, download version 1.7.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the SureForms plugin until patched.
wp plugin deactivate sureforms
Web Application Firewall
allBlock requests to the vulnerable delete_entry_files() function endpoint.
🧯 If You Can't Patch
- Disable the SureForms plugin immediately.
- Implement strict file permissions (chmod 644 for files, 755 for directories) to limit damage.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → SureForms version. If version is 1.7.3 or lower, you are vulnerable.Check Version:
wp plugin get sureforms --field=versionVerify Fix Applied:
Confirm plugin version is 1.7.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to wp-admin/admin-ajax.php with action=sureforms_delete_entry_files
- File deletion errors in web server logs
- Unexpected 404 errors for critical files
Network Indicators:
- Unusual POST requests to admin-ajax.php from unauthenticated sources
- Patterns of file deletion attempts
SIEM Query:
source="web_server_logs" AND (uri="/wp-admin/admin-ajax.php" AND parameters CONTAINS "action=sureforms_delete_entry_files")🔗 References
- https://plugins.trac.wordpress.org/browser/sureforms/trunk/admin/views/entries-list-table.php#L661
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3319753%40sureforms&new=3319753%40sureforms&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/sureforms/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b4658546-bf57-414b-a3c9-bf7a5692c5fe?source=cve
