CVE-2025-6691
Published: 09 July 2025
Summary
CVE-2025-6691 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Brainstormforce Sureforms. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient file path validation in delete_entry_files() by requiring validation of inputs to prevent arbitrary file deletion via path traversal.
Mandates timely flaw remediation through patching the vulnerable plugin versions up to 1.7.3 where path validation is fixed.
Limits permitted actions without authentication to exclude file deletion capabilities, mitigating unauthenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file deletion in public-facing WordPress plugin directly enables T1190 exploitation and T1070.004 file deletion, with path to RCE via critical config removal.
NVD Description
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it…
more
possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Deeper analysisAI
CVE-2025-6691 is an arbitrary file deletion vulnerability in the SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress, affecting all versions up to and including 1.7.3. The issue stems from insufficient file path validation in the delete_entry_files() function, enabling attackers to delete arbitrary files on the server. Published on 2025-07-09, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and maps to CWEs-73 (External Control of File Name or Path) and CWE-610 (Externally Controlled Reference to a Resource in Another Sphere).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity, though it requires user interaction. By targeting critical files such as wp-config.php, exploitation can easily lead to remote code execution, resulting in high integrity and availability impacts but no direct confidentiality loss.
References point to the vulnerable code in admin/views/entries-list-table.php at line 661, a specific changeset (3319753) in the WordPress plugin trac repository indicating a patch, the plugin's page on WordPress.org, and Wordfence threat intelligence for further details on the issue. Mitigation requires updating to a version beyond 1.7.3 where the file path validation has been addressed.
Details
- CWE(s)