A major security issue has been found in the popular WordPress plugin SureForms, which is used on over 2 lakh websites globally. This vulnerability can allow hackers to completely take over affected sites.
The issue has been tracked under CVE-2025-6691 with a high CVSS score of 8.8. It allows attackers—without even logging in—to delete any file on the server. This includes the important wp-config.php file, which controls the connection between WordPress and the website’s database.
Once this file is deleted, the site goes into setup mode, which gives hackers a way to connect their own database and gain full control of the site.
The problem lies in how the plugin handles files during form submissions. There is no proper validation of file paths in the code. Hackers can trick the system into processing fake file paths, even if the form does not have any file upload option.
One part of the vulnerable code is:
foreach ( $value as $file_url ) {
if ( empty( $file_url ) ) {
continue;
}
$file_path = Helper::convert_fileurl_to_filepath( urldecode( $file_url ) );
if ( file_exists( $file_path ) ) {
unlink( $file_path );
}
}When an admin deletes form entries, this code runs. If a hacker has added a fake file path, this code can delete system files like wp-config.php by mistake.
The flaw was reported by a researcher named Phat RiO through the Wordfence Bug Bounty Program on June 21, 2025. It affects all versions up to 1.7.3 of the SureForms plugin.
The plugin developer, Brainstorm Force, released a patch on June 30, 2025. They added proper file path checks using a safer method:delete_upload_file_from_subdir(), which now restricts file access to only the plugin’s own directory.
If you are using the SureForms plugin, update it immediately to the latest version. Keeping your plugins updated is one of the best ways to protect your website from such critical threats.
