SureForms Flaw Exposes 200,000 WordPress Sites to Hackers

A critical flaw in the SureForms WordPress plugin has exposed over 200,000 websites to potential full-site takeover attacks. The vulnerability, identified as CVE-2025-6691 with a CVSS score of 8.8, allows unauthenticated users to delete arbitrary files—including wp-config.php—directly from servers. This SureForms flaw exposes WordPress installations to a risk where attackers can trigger setup mode and seize control.

Researchers discovered the issue in the plugin’s file handling system, specifically in the prepare_submission_data() function, which lacks proper path validation. The SureForms flaw exposes WordPress websites by allowing attackers to inject malicious file paths into form submissions. When administrators delete these submissions, the plugin executes the deletion process without verifying file types, extensions, or directories.

Brainstorm Force issued a patch on June 30, 2025, fixing the issue by limiting deletions to the plugin’s subdirectory. Users should update to the latest version immediately to mitigate risk.

Read the full article at: https://cybersecuritynews.com/critical-wordpress-plugin-vulnerability-2/