Cyber Resilience

CVE-2025-6691

High

Published: 09 July 2025

Published
09 July 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0143 81.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6691 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Brainstormforce Sureforms. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

The SureForms – Drag and Drop Form Builder for WordPress plugin is vulnerable to arbitrary file deletion in all versions through 1.7.3. The flaw stems from insufficient file path validation inside the delete_entry_files() function, which permits an attacker to supply an arbitrary path that the server will delete.

An unauthenticated attacker can trigger the vulnerable function over the network and remove any file readable by the web server process. Deleting critical files such as wp-config.php can disable the site or enable remote code execution by forcing the application into a misconfigured state.

The referenced Wordfence advisory and the plugin’s Trac changeset indicate that the issue was addressed in a subsequent release; site administrators should apply the available update. The associated EPSS score has remained flat at 0.0143 with no observed increase after disclosure.

EU & UK References

Vulnerability details

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it…

more

possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Arbitrary file deletion in public-facing WordPress plugin directly enables T1190 exploitation and T1070.004 file deletion, with path to RCE via critical config removal.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12529Shared CWE-73
CVE-2025-10494Shared CWE-73
CVE-2025-9048Shared CWE-73
CVE-2025-13322Shared CWE-73
CVE-2024-12267Shared CWE-73
CVE-2025-10058Shared CWE-73
CVE-2025-66254Shared CWE-73
CVE-2026-5809Shared CWE-73
CVE-2025-0111Shared CWE-610, CWE-73
CVE-2024-51961Shared CWE-610, CWE-73

Affected Assets

brainstormforce
sureforms
1.5.0 · 0.0.2 — 0.0.14 · 1.0.0 — 1.0.7 · 1.1.0 — 1.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient file path validation in delete_entry_files() by requiring validation of inputs to prevent arbitrary file deletion via path traversal.

prevent

Mandates timely flaw remediation through patching the vulnerable plugin versions up to 1.7.3 where path validation is fixed.

prevent

Limits permitted actions without authentication to exclude file deletion capabilities, mitigating unauthenticated exploitation.

References