SureForms WordPress Plugin flaw enables unauthenticated file deletion, potential site takeover
Take action: If you have the SureForms WordPress plugin installed, immediately check your version and update to the latest patched release (1.7.4 or appropriate version for your branch). Don't delay this one, because you can't really hide the form, and updating the plugin is nearly trivial.
Learn More
A vulnerability is reported in SureForms WordPress plugin, a popular drag-and-drop form builder that is used in over 200,000 active installations globally.
The flaw is tracked as CVE-2025-6691 (CVSS score 8.1) and is caused by insufficient file path validation in the delete_entry_files() function within the SureForms plugin's codebase. This flaw allows unauthenticated attackers to delete arbitrary files on the server. The most dangerous attack scenario is the deletion of the wp-config.php file, which controls WordPress database connections and core configurations.
If attackers successfully remove the wp-config.php file, they can force the affected WordPress site into setup mode, allowing them to establish their own database connection and effectively gain complete control over the entire website.
A very similar flaw is already reported in Forminator WordPress plugin.
Affected versions
SureForms versions 1.7.3 and lower.
Parched versions
SureForms versions 1.7.4, 1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, and 0.0.14, covering the complete range of affected installations.
The patch implementation introduces the delete_upload_file_from_subdir() function, which enforces strict path restrictions to the 'sureforms/' subdirectory within the WordPress uploads folder.
WordPress site administrators using SureForms should immediately update to the latest patched version. There are no material mitigations other than disabling the plugin.
