CVE-2025-6691 is a vulnerability categorized under CWE-73 (External Control of File Name or Path) found in the SureForms – Drag and Drop Form Builder for WordPress plugin developed by Brainstormforce. The flaw exists in the delete_entry_files() function, where the plugin fails to properly validate file paths before deletion. This lack of validation allows unauthenticated attackers to craft requests that delete arbitrary files on the web server hosting the WordPress site. Since the deletion of critical files such as wp-config.php can disrupt site configuration and potentially enable remote code execution, the impact is severe. The vulnerability affects all plugin versions from 0.0 through 1.7.3. The CVSS 3.1 base score is 8.1, reflecting network attack vector (no authentication), low attack complexity, no privileges required, but requiring user interaction. The scope is unchanged, and the impact is high on integrity and availability, with no direct confidentiality impact. Although no exploits have been reported in the wild yet, the vulnerability’s nature and ease of exploitation make it a significant threat to WordPress sites using this plugin. The plugin’s popularity and WordPress’s widespread use increase the potential attack surface globally.

The vulnerability allows attackers to delete arbitrary files on the server without authentication, which can cause denial of service by removing essential files or lead to remote code execution if critical files like wp-config.php are deleted. This compromises the integrity and availability of affected WordPress sites and can result in complete site takeover or defacement. Organizations relying on SureForms for form building face risks of data loss, service disruption, and potential further exploitation if attackers gain control over the server. The widespread use of WordPress, combined with the plugin’s presence on many sites, means that a large number of websites globally are at risk. The attack requires only user interaction, which could be as simple as tricking a site administrator or user into triggering the malicious request, increasing the likelihood of exploitation. The absence of known exploits in the wild currently provides a window for remediation, but the vulnerability’s characteristics suggest it could be weaponized rapidly once publicized.

1. Immediately update the SureForms plugin to a patched version once available from Brainstormforce. 2. Until a patch is released, restrict access to the delete_entry_files() functionality by implementing web application firewall (WAF) rules that block suspicious requests targeting file deletion endpoints. 3. Harden file system permissions to prevent the web server user from deleting critical files such as wp-config.php. 4. Monitor server logs for unusual file deletion attempts or errors related to missing files. 5. Employ intrusion detection systems (IDS) to detect anomalous HTTP requests that could exploit this vulnerability. 6. Educate site administrators and users to avoid interacting with untrusted links or inputs that could trigger the vulnerability. 7. Consider temporarily disabling or removing the SureForms plugin if immediate patching is not feasible. 8. Regularly back up WordPress site files and databases to enable quick recovery in case of successful exploitation.