CVE-2025-6742

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

7.5HIGH

EPSS

0.8%

top 25.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Brainstormforce Sureforms Brainstormforce Sureforms – Drag AND Drop Form Builder FOR Wordpress

Timeline

PublishedJul 9

Description

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chai…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5brainstormforce/sureforms_–_drag_and_drop_form_builder_for_wordpress0.0 — 0.0.13+8

▶NVDbrainstormforce/sureforms0.0.2 — 0.0.14+8

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion↗2025-07-09

▶

GHSA

GHSA-cjv8-prw4-9v8g: The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and includi↗2025-07-09

▶