Severe WordPress Plugin Flaw Puts 200,000 Sites at Risk of Full Takeover

Severe WordPress Plugin Flaw Puts 200,000 Sites at Risk of Full Takeover

A critical arbitrary file deletion vulnerability has been discovered in the SureForms WordPress plugin, affecting over 200,000 active installations and potentially enabling unauthenticated attackers to achieve full site takeover.

The flaw, tracked as CVE-2025-6691 with a CVSS score of 8.8 (High), resides in versions up to 1.7.3 of the plugin, which is developed by Brainstorm Force.

This vulnerability stems from inadequate input validation in the plugin’s form submission handling and deletion mechanisms, allowing malicious actors to inject arbitrary file paths into form data.

When an administrator deletes such a tainted submission, the specified files are removed from the server without proper checks, opening the door to devastating exploits like deleting wp-config.php and forcing the site into a vulnerable setup mode for remote code execution.

Unauthenticated File Deletion

The issue originates in the prepare_submission_data() function within the Form_Submit class, which processes form entries without scrutinizing field values.

Attackers can exploit this by submitting crafted data, including arrays mimicking file uploads, even on forms without file input fields.

These malicious entries are stored in the database, and upon deletion via the delete_entry_files() function in the Entries_List_Table class, the plugin blindly converts URLs to file paths and unlinks them using PHP’s unlink() without verifying paths, extensions, or directory restrictions.

This lack of sanitization means critical files outside the intended upload directory, such as the site’s configuration file, can be targeted.

Deleting wp-config.php disrupts the site’s database connection, prompting a reinstallation wizard that attackers can hijack by linking to their own database, effectively gaining remote code execution capabilities.

Discovered by researcher Phat RiO of BlueRock through the Wordfence Bug Bounty Program, the vulnerability earned a $4,050 bounty.

Wordfence, emphasizing defense-in-depth security, swiftly responded by deploying a firewall rule for Premium, Care, and Response users on June 26, 2025, with free users slated for protection on July 26, 2025.

The Brainstorm Force team was notified on June 25, 2025, and released patches across multiple versions 1.7.4, 1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, and 0.0.14 by June 30, 2025, including backports for older branches and collaboration with WordPress for forced updates.

The patch introduces the delete_upload_file_from_subdir() function, which enforces path restrictions to the ‘sureforms/’ subdirectory in the uploads folder using realpath checks and basename extraction to prevent traversal attacks.

Lessons from a High-Threat Exploit

This vulnerability mirrors a recent flaw in Formidable Forms, highlighting a recurring pattern in WordPress plugins where insufficient validation in form processing and file handling leads to severe security risks.

Exploitation requires an administrator to delete the malicious entry, often disguised as spam, making it a prime target for persistent attackers.

Wordfence recommends immediate updates to patched versions and urges developers to audit code for similar issues, implementing strict input sanitization, directory whitelisting, and type checks.

Additional hardening suggestions, like enhanced endpoint security, are under consideration for future SureForms releases.

This incident underscores the importance of proactive vulnerability research and rapid patching in securing the WordPress ecosystem, preventing potential widespread site compromises.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.


Source link