The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVE-2025-6742 is a high-severity vulnerability affecting the SureForms – Drag and Drop Form Builder plugin for WordPress, developed by Brainstormforce. The vulnerability is categorized under CWE-502, which involves deserialization of untrusted data, specifically PHP Object Injection. This issue exists in all versions of the plugin up to and including version 1.7.3. The root cause is the use of the PHP function file_exists() within the delete_entry_files() function without proper validation or restriction on the file path input. This flaw allows unauthenticated attackers to inject malicious PHP objects. However, the vulnerability alone does not lead to direct exploitation because the plugin itself lacks a gadget or POP (Property Oriented Programming) chain necessary to execute arbitrary code or perform other malicious actions. The risk arises when the vulnerable plugin is installed alongside other plugins or themes that contain exploitable POP chains. In such scenarios, attackers can leverage the deserialization flaw combined with these chains to delete arbitrary files, access sensitive data, or execute arbitrary code on the affected WordPress site. The CVSS 3.1 score of 7.5 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, no privileges required, but requiring user interaction. No known public exploits are reported yet, but the potential for serious damage exists if combined with other vulnerable components. This vulnerability highlights the risks of insecure deserialization in WordPress plugins and the importance of validating input paths and restricting file operations.

CVE Database V5

Detailed information about CVE-2025-6742: CWE-502 Deserialization of Untrusted Data in brainstormforce SureForms – Drag and Drop Form Builder for WordPress affe

CVE-2025-6742: CWE-502 Deserialization of Untrusted Data in brainstormforce SureForms – Drag and Drop Form Builder for WordPress - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6742: CWE-502 Deserialization of Untrusted Data in brainstormforce SureForms – Drag and Drop Form Builder for WordPress

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVE-2025-6691 is a high-severity vulnerability affecting the SureForms – Drag and Drop Form Builder plugin for WordPress, developed by Brainstormforce. The vulnerability arises from insufficient validation of file paths in the delete_entry_files() function present in all plugin versions up to and including 1.7.3. This flaw allows unauthenticated attackers to perform arbitrary file deletion on the server hosting the WordPress site. By exploiting this vulnerability, an attacker can delete critical files such as wp-config.php, which contains database credentials and other sensitive configuration data. The deletion of such files can disrupt the integrity and availability of the WordPress installation and may facilitate further attacks, including remote code execution (RCE). The CVSS v3.1 score assigned is 8.1, indicating a high severity level. The vector indicates that the attack can be performed remotely without authentication (AV:N/PR:N), requires low attack complexity (AC:L), but does require user interaction (UI:R), and impacts integrity and availability severely (I:H/A:H) without compromising confidentiality (C:N). Although no known exploits are currently reported in the wild, the potential for exploitation is significant given the nature of the vulnerability and the widespread use of WordPress and its plugins. The vulnerability is classified under CWE-73, which relates to external control of file name or path, a common issue leading to path traversal and arbitrary file manipulation attacks. This vulnerability is particularly dangerous because it allows unauthenticated attackers to delete arbitrary files, which can lead to site downtime, data loss, and potential privilege escalation or code execution if critical files are removed or replaced.

Detailed information about CVE-2025-6691: CWE-73 External Control of File Name or Path in brainstormforce SureForms – Drag and Drop Form Builder for WordPress a

CVE-2025-6691: CWE-73 External Control of File Name or Path in brainstormforce SureForms – Drag and Drop Form Builder for WordPress - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6691: CWE-73 External Control of File Name or Path in brainstormforce SureForms – Drag and Drop Form Builder for WordPress

A vulnerability was found in Campcodes Payroll Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /ajax.php?action=delete_position. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7218 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Payroll Management System. The vulnerability arises from improper sanitization of the 'ID' parameter in the /ajax.php?action=delete_position endpoint. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering or extracting sensitive payroll data from the backend database. The vulnerability requires no authentication or user interaction, making it accessible to unauthenticated remote attackers. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is rated as low individually but combined could lead to significant data exposure or unauthorized data modification. Although no exploits are currently known in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The lack of available patches or mitigation from the vendor further elevates the threat. Payroll systems typically contain sensitive employee information and financial data, making this vulnerability particularly critical in environments where the Campcodes Payroll Management System is deployed. Attackers exploiting this vulnerability could exfiltrate payroll records, manipulate salary data, or disrupt payroll operations, leading to financial loss, reputational damage, and regulatory compliance issues.

Detailed information about CVE-2025-7218: SQL Injection in Campcodes Payroll Management System affecting Campcodes Payroll Management System. Get real-time upda

CVE-2025-7218: SQL Injection in Campcodes Payroll Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7218: SQL Injection in Campcodes Payroll Management System

A vulnerability has been found in Campcodes Payroll Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /ajax.php?action=save_position. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7217 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Payroll Management System. The vulnerability exists in the /ajax.php endpoint, specifically when handling the 'action=save_position' request parameter. The issue arises due to improper sanitization or validation of the 'ID' argument, which allows an attacker to inject malicious SQL code remotely without requiring any authentication or user interaction. This flaw can be exploited over the network (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, as attackers can manipulate SQL queries to extract sensitive payroll data, modify records, or disrupt database operations. Although the CVSS 4.0 score is 6.9 (medium severity), the potential for data leakage or unauthorized modification in a payroll system elevates the risk profile. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability disclosure date is July 9, 2025. Given the critical nature of payroll data and the direct remote exploitation vector, this vulnerability demands urgent attention from organizations using this software version.

Detailed information about CVE-2025-7217: SQL Injection in Campcodes Payroll Management System affecting Campcodes Payroll Management System. Get real-time upda

CVE-2025-7217: SQL Injection in Campcodes Payroll Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7217: SQL Injection in Campcodes Payroll Management System

A vulnerability was found in Campcodes Payroll Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /ajax.php?action=delete_allowances. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7219: SQL Injection in Campcodes Payroll Management System affecting Campcodes Payroll Management System. Get real-time upda

CVE-2025-7219: SQL Injection in Campcodes Payroll Management System

CVE-2025-7219: SQL Injection in Campcodes Payroll Management System

Description

Technical Details

Related Threats

CVE-2025-6742: CWE-502 Deserialization of Untrusted Data in brainstormforce SureForms – Drag and Drop Form Builder for WordPress

CVE-2025-6691: CWE-73 External Control of File Name or Path in brainstormforce SureForms – Drag and Drop Form Builder for WordPress

CVE-2025-7218: SQL Injection in Campcodes Payroll Management System

CVE-2025-7217: SQL Injection in Campcodes Payroll Management System

CVE-2025-7216: Deserialization in lty628 Aidigu

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility