CVE-2025-6691
Published: 09 July 2025
Summary
CVE-2025-6691 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Brainstormforce Sureforms. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
The SureForms – Drag and Drop Form Builder for WordPress plugin is vulnerable to arbitrary file deletion in all versions through 1.7.3. The flaw stems from insufficient file path validation inside the delete_entry_files() function, which permits an attacker to supply an arbitrary path that the server will delete.
An unauthenticated attacker can trigger the vulnerable function over the network and remove any file readable by the web server process. Deleting critical files such as wp-config.php can disable the site or enable remote code execution by forcing the application into a misconfigured state.
The referenced Wordfence advisory and the plugin’s Trac changeset indicate that the issue was addressed in a subsequent release; site administrators should apply the available update. The associated EPSS score has remained flat at 0.0143 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20783
Vulnerability details
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it…
more
possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file deletion in public-facing WordPress plugin directly enables T1190 exploitation and T1070.004 file deletion, with path to RCE via critical config removal.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient file path validation in delete_entry_files() by requiring validation of inputs to prevent arbitrary file deletion via path traversal.
Mandates timely flaw remediation through patching the vulnerable plugin versions up to 1.7.3 where path validation is fixed.
Limits permitted actions without authentication to exclude file deletion capabilities, mitigating unauthenticated exploitation.