EUVD-2025-20783
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
4Description
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Analysis
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Technical Context
Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication.
Affected Products
Affected products: Brainstormforce Sureforms
Remediation
A vendor patch is available — apply it immediately. Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today