SureForms WordPress Plugin Flaw (CVE-2025-6691): Unauthenticated Arbitrary File Deletion Leads to Site Takeover, 200K Sites at Risks

A critical vulnerability in the SureForms WordPress plugin—which has over 200,000 active installations—has exposed websites to a serious threat of arbitrary file deletion, including the potential removal of the site’s wp-config.php file, effectively leading to remote code execution (RCE) and full site takeover.

Discovered and responsibly disclosed by security researcher Phat RiO – BlueRock through the Wordfence Bug Bounty Program, the vulnerability has been assigned CVE-2025-6691 and received a CVSS score of 8.8.

“This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted,” Wordfence explained in their report.

At the core of the vulnerability is the plugin’s flawed file handling process in the delete_entry_files() function, which is used to clean up uploaded files when form submissions are deleted. However, insufficient validation of file paths and missing checks on field types and upload restrictions allow an attacker to supply a malicious file array—even in forms that don’t support file uploads.

“Unfortunately, the function does not perform any field type checks or file extension checks, nor does it perform any upload directory restriction checks,” the report notes.

The vulnerability is made worse by how the form submission data is processed via the prepare_submission_data() function. Since no verification is performed on the input, an unauthenticated attacker can include a path to any file on the server when submitting a form. Once an admin later deletes the submission—believing it to be spam—the plugin executes the file deletion, unaware of the attacker-supplied path.

“This makes the vulnerability exploitable on any instance with an active form,” Wordfence warned.

A practical exploitation vector involves an attacker submitting a form containing a file array pointing to wp-config.php—a core file that stores database credentials and configuration. When a site admin deletes the form submission (especially if it appears spammy), wp-config.php is deleted, and WordPress enters setup mode.

“Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control,” the report explains.

Though the attack involves multiple steps, it does not require authentication, making it highly attractive for opportunistic threat actors.

The vulnerability affects all versions up to and including 1.7.3 of SureForms. In response, the Brainstorm Force team released patches across eight prior versions, ensuring a broad safety net for their users:

“We urge users to verify their sites are updated with one of the patched versions (1.7.4, 1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, 0.0.14) of SureForms as soon as possible,” Wordfence advised.

Related Posts:

• CVE-2024-10470 (CVSS 9.8) in Popular WordPress Theme Exposes Thousands of Sites
• Apple App Store Blocks $2 Billion in Fraud in 2024 Alone
• CVE-2025-6463: Unauthenticated Arbitrary File Deletion in Forminator Plugin Exposes Over 600,000 WordPress Sites to Remote Takeover
• Adobe releases the security updates to fix Remote Code Execution/Arbitrary file deletion in multi products