200,000 Websites at Risk of Takeover Due to Severe WordPress Plugin Vulnerability

A critical security vulnerability has been discovered in the popular SureForms WordPress plugin, putting over 200,000 active installations at risk of complete website takeover.

The flaw, designated CVE-2025-6691 with a high CVSS rating of 8.8, allows unauthenticated attackers to delete arbitrary files from affected servers, potentially leading to remote code execution.

The vulnerability was discovered by security researcher Phat RiO from BlueRock and reported through Wordfence’s Bug Bounty Program on June 21, 2025.

The researcher earned a $4,050 bounty for responsibly disclosing this critical security flaw that affects all versions of SureForms up to and including 1.7.3.

Technical Exploitation and Risk Assessment

The vulnerability stems from insufficient file path validation in the plugin’s delete_entry_files() function.

When administrators delete form submissions, the plugin attempts to remove associated uploaded files without properly validating file paths or restricting operations to safe directories.

Attackers can exploit this flaw by submitting malicious form data containing arbitrary file paths, even when forms don’t include file upload fields.

The plugin’s prepare_submission_data() The function fails to validate field values, allowing attackers to specify critical system files like wp-config.php In their submissions.

When an administrator later deletes what appears to be a spam submission, the plugin inadvertently deletes the attacker-specified files.

Removing wp-config.php forces WordPress into setup mode, enabling attackers to connect the site to a database under their control and achieve complete site compromise.

The vulnerability requires some social engineering, as attackers must wait for administrators to delete submissions. However, security experts consider this highly likely, especially for submissions crafted to appear suspicious or spammy.

Rapid Response and Patching Efforts

Brainstorm Force, the plugin’s developer, demonstrated exemplary vulnerability handling. After receiving disclosure details on June 26, 2025, they released patches within four days on June 30, 2025.

The company went above and beyond standard practices by creating eight backported point releases, covering versions dating back to 0.0.14, to ensure comprehensive protection across its user base.

The patched versions (1.7.4, 1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, 0.0.14) implement proper file path validation through a new delete_upload_file_from_subdir() A function that restricts file operations to the plugin’s designated upload directory.

Wordfence Premium, Care, and Response users received firewall protection on June 26, 2025. Free users will receive the same protection on July 26, 2025.

WordPress administrators should immediately verify that their SureForms installations are up to date to prevent potential exploitation of this severe vulnerability.