A severe arbitrary file deletion vulnerability has been discovered in the SureForms WordPress plugin, posing a significant risk to over 200,000 active websites. This flaw, identified as CVE-2025-6691 with a high CVSS score of 8.8, affects plugin versions up to 1.7.3. Developed by Brainstorm Force, the vulnerability stems from insufficient input validation during form submission handling and deletion processes.
This allows malicious actors to inject arbitrary file paths into form data, creating a pathway for devastating exploits when an administrator inadvertently deletes these tainted submissions.
The core of the issue lies within the prepare_submission_data() function of the Form_Submit class, which processes form entries without adequately scrutinizing field values. Attackers can exploit this by submitting specially crafted data, even on forms not designed for file uploads, mimicking file attachments. These malicious entries are then stored in the database. When an administrator later deletes such an entry via the delete_entry_files() function, the plugin incorrectly converts URLs to file paths and proceeds to delete them using PHP’s unlink() function without proper verification of paths, extensions, or directory restrictions. This critical oversight enables the deletion of files outside the intended upload directory, including crucial system files.
A particularly dangerous exploit involves targeting and deleting the wp-config.php file. This action disrupts the website’s connection to its database, forcing the site into a reinstallation wizard. Attackers can then hijack this process by linking to their own malicious database, effectively gaining remote code execution capabilities and achieving full control over the compromised website.
This highlights the severe impact of seemingly simple file deletion vulnerabilities when they interact with critical system files.
The vulnerability was brought to light by security researcher Phat RiO of BlueRock through the Wordfence Bug Bounty Program. Wordfence promptly responded to the discovery, deploying a firewall rule for its Premium, Care, and Response users on June 26, 2025, with free users receiving protection on July 26, 2025. Brainstorm Force, the plugin developer, was notified on June 25, 2025, and swiftly released patches by June 30, 2025. These patches, spanning multiple versions (1.7.4, 1.6.5, and various backports), introduce the delete_upload_file_from_subdir() function, which enforces strict path restrictions and utilizes realpath checks to prevent directory traversal attacks.
This incident serves as a crucial reminder of the importance of robust security practices in WordPress plugin development. It echoes similar vulnerabilities found in other plugins, emphasizing a recurring pattern of inadequate validation in form processing and file handling. While exploitation requires an administrator to delete the malicious entry, often disguised as spam, it remains a high-threat vulnerability. Both Wordfence and Brainstorm Force recommend immediate updates to patched versions, and developers are urged to implement strict input sanitization, directory whitelisting, and type checks to prevent similar flaws. This event underscores the critical role of proactive vulnerability research and rapid patching in safeguarding the WordPress ecosystem from widespread compromises.
Reference:
