CVE-2025-6691

High CVSS: 8.1

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Vendor

Brainstormforce

Product

Sureforms

CWE

CWE-73

Yayın Tarihi

2025-07-09 06:15:23

Güncelleme

2025-07-11 21:22:46

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-73 Sureforms HIGH Brainstormforce 2025

Referanslar

https://plugins.trac.wordpress.org/browser/sureforms/trunk/admin/views/entries-list-table.php#L661 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3319753%40sureforms&new=3319753%40sureforms&sfp_email=&sfph_mail= https://wordpress.org/plugins/sureforms/ https://www.wordfence.com/threat-intel/vulnerabilities/id/b4658546-bf57-414b-a3c9-bf7a5692c5fe?source=cve

Benzer Kayıtlar

Medium

CVE-2025-5921

The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the p…

High

CVE-2025-6742

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in a…

Low

CVE-2025-3513

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow h…

Low

CVE-2025-3514

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow h…

Medium

CVE-2024-12713

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in a…

Medium

CVE-2024-56274

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force A…