CVE-2025-6691 is a high-severity vulnerability affecting the SureForms – Drag and Drop Form Builder plugin for WordPress, developed by Brainstormforce. The vulnerability arises from insufficient validation of file paths in the delete_entry_files() function present in all plugin versions up to and including 1.7.3. This flaw allows unauthenticated attackers to perform arbitrary file deletion on the server hosting the WordPress site. By exploiting this vulnerability, an attacker can delete critical files such as wp-config.php, which contains database credentials and other sensitive configuration data. The deletion of such files can disrupt the integrity and availability of the WordPress installation and may facilitate further attacks, including remote code execution (RCE). The CVSS v3.1 score assigned is 8.1, indicating a high severity level. The vector indicates that the attack can be performed remotely without authentication (AV:N/PR:N), requires low attack complexity (AC:L), but does require user interaction (UI:R), and impacts integrity and availability severely (I:H/A:H) without compromising confidentiality (C:N). Although no known exploits are currently reported in the wild, the potential for exploitation is significant given the nature of the vulnerability and the widespread use of WordPress and its plugins. The vulnerability is classified under CWE-73, which relates to external control of file name or path, a common issue leading to path traversal and arbitrary file manipulation attacks. This vulnerability is particularly dangerous because it allows unauthenticated attackers to delete arbitrary files, which can lead to site downtime, data loss, and potential privilege escalation or code execution if critical files are removed or replaced.

For European organizations relying on WordPress websites using the SureForms plugin, this vulnerability poses a substantial risk. The ability for unauthenticated attackers to delete arbitrary files can lead to website outages, loss of critical configuration and data files, and potential compromise of the entire web server environment. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance, especially under GDPR where data integrity and availability are critical. Organizations in sectors such as e-commerce, government, healthcare, and finance, which often use WordPress for public-facing sites or internal portals, are particularly vulnerable. The risk is exacerbated by the fact that exploitation does not require authentication, lowering the barrier for attackers. Additionally, deletion of wp-config.php or similar files can enable attackers to gain remote code execution capabilities, potentially leading to full system compromise, lateral movement, and data breaches. The impact extends beyond the affected website to the hosting infrastructure and connected systems, increasing the potential damage. Given the high adoption of WordPress across Europe, this vulnerability could affect a broad range of organizations, from small businesses to large enterprises.

1. Immediate update or patching: Organizations should upgrade the SureForms plugin to a version beyond 1.7.3 once a patch is released. Until then, consider disabling or uninstalling the plugin to eliminate the attack surface. 2. Web application firewall (WAF): Deploy and configure a WAF to detect and block suspicious requests targeting the delete_entry_files() function or unusual file deletion attempts. 3. File system permissions: Harden file and directory permissions on the WordPress server to restrict deletion rights only to necessary system users and processes, minimizing the impact of arbitrary file deletion. 4. Monitoring and alerting: Implement file integrity monitoring to detect unexpected deletions or modifications of critical files such as wp-config.php and alert administrators immediately. 5. Backup and recovery: Ensure regular, secure backups of WordPress files and databases are maintained and tested for rapid recovery in case of file deletion or compromise. 6. Network segmentation: Isolate web servers hosting WordPress from critical internal networks to limit lateral movement if exploitation occurs. 7. User interaction mitigation: Since the attack requires user interaction, educate users and administrators about phishing or social engineering tactics that might be used to trigger the vulnerability. 8. Incident response readiness: Prepare and test incident response plans specifically for web application compromises involving file deletion and potential RCE scenarios.