CVE-2025-6742

Name of the Vulnerable Software and Affected Versions: SureForms – Drag and Drop Form Builder for WordPress versions up to 1.7.3

Description: The issue allows unauthenticated attackers to inject a PHP object through the use of file exists() in the delete entry files() function without restriction on the path provided. This vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code, depending on the POP chain present.

Recommendations: For versions up to 1.7.3, update to a version higher than 1.7.3 to resolve the issue. As a temporary workaround, consider restricting access to the delete entry files() function until a patch is available. Avoid using the file exists() function in the delete entry files() function without proper path validation until the issue is resolved.