1. WPScan Online
  2. Latest Updates and Insights on WordPress Security
  3. Critical WordPress Plugin Vulnerability Exposes 200k Websites to Site Takeover Attack

Critical WordPress Plugin Vulnerability Exposes 200k Websites to Site Takeover Attack

11 July 2025
Critical WordPress Plugin Vulnerability Exposes 200k Websites to Site Takeover Attack

A critical security vulnerability has been discovered in the SureForms WordPress plugin, affecting over 200,000 websites worldwide and potentially exposing them to complete site takeover attacks.

The vulnerability, assigned CVE-2025-6691 with a CVSS score of 8.8, allows unauthenticated attackers to delete arbitrary files on affected servers, including the crucial wp-config.php file that controls WordPress database connections.

The SureForms plugin, a popular drag-and-drop form builder for WordPress, contains a fundamental flaw in its file handling mechanism that enables malicious actors to exploit form submissions without requiring any authentication.

When attackers successfully delete the wp-config.php file, they can force the WordPress site into setup mode, allowing them to establish their own database connection and effectively take control of the entire website.

Wordfence analysts identified this vulnerability through their Bug Bounty Program, where security researcher Phat RiO from BlueRock discovered and responsibly reported the flaw on June 21, 2025.

The vulnerability affects all versions of SureForms up to and including 1.7.3, making it a widespread threat across the WordPress ecosystem.

Vulnerability Summary (Source – Wordfence)

The technical root of this vulnerability lies in the plugin’s inadequate validation of file paths during form submission processing.

The vulnerability stems from insufficient checks in the prepare_submission_data() function, which fails to validate user-supplied file paths properly.

Infection Mechanism

The attack exploits a weakness in the delete_entry_files() function within the Entries_List_Table class. This function is designed to clean up uploaded files when form submissions are deleted by administrators.

However, the function performs no field type validation, file extension checks, or upload directory restriction verification.

The vulnerable code demonstrates the critical flaw:-

foreach ( $value as $file_url ) {
    if ( empty( $file_url ) ) {
        continue;
    }
    $file_path = Helper::convert_fileurl_to_filepath( urldecode( $file_url ) );

    if ( file_exists( $file_path ) ) {
        unlink( $file_path );
    }
}





Attackers can manipulate form submissions to include arbitrary file paths, even in forms without file upload fields. When administrators delete these submissions, the malicious file paths are processed, resulting in the deletion of critical system files.





Brainstorm Force released patches on June 30, 2025, implementing proper path validation through the delete_upload_file_from_subdir() function to restrict file operations to the sureforms subdirectory.





Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now


The post Critical WordPress Plugin Vulnerability Exposes 200k Websites to Site Takeover Attack appeared first on Cyber Security News.

			

>>More