200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in SureForms WordPress Plugin


📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢

🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!


On June 21st, 2025, we received a submission for an Arbitrary File Deletion vulnerability in SureForms, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution.

Props to Phat RiO – BlueRock who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $4,050.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 26, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on July 26, 2025.

We contacted the Brainstorm Force team on June 25, 2025, and received a response the next day. After providing full disclosure details, the developer released the patch on June 30, 2025. We would like to commend the Brainstorm Force team for their prompt response and timely and transparent patch.

The Brainstorm Force team took extra steps to help protect their users with point releases back 8 versions, and worked with the WordPress plugins team to undergo a forced update. Most sites running SureForms should be updated to a patched version, however, we urge users to verify their sites are updated with one of the patched versions (1.7.4, 1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, 0.0.14) of SureForms as soon as possible. The Brainstorm Force organization provided an exemplary example of how high threat security issues should be handled.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
8.8 (High)
Affected Versions
<= 1.7.3
Bounty
$4,050.00
Patched Versions
1.7.4, 1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, 0.0.14
Affected Software Slug

The “SureForms – Drag and Drop Form Builder for WordPress” plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Technical Analysis

SureForms is a popular WordPress plugin that allows users to easily build different types of forms using a drag-and-drop builder.

Examining the code reveals that the plugin uses the handle_form_entry() function in the Form_Submit class to handle the form submissions and save the form entry fields to the database.This function uses the prepare_submission_data() function to prepare the submission data.

Unfortunately, the function does not perform any checks on the values corresponding to the form fields.

public function prepare_submission_data( $submission_data ) {
	$modified_message = [];
	foreach ( $submission_data as $key => $value ) {
		$parts = explode( '-lbl-', $key );
		$label = '';

		if ( ! empty( $parts[1] ) ) {
			$tokens = explode( '-', $parts[1] );
			if ( count( $tokens ) > 1 ) {
				$label = implode( '-', array_slice( $tokens, 1 ) );
			}

			$fields = explode( '-', $parts[0] );

			// Since the upload field returns an array of file URLs, we need to implode them with a comma.
			if ( 'upload' === $fields[1] && ! empty( $value ) && is_array( $value ) ) {
				$modified_message[ $label ] = urldecode( implode( ', ', $value ) );
			} else {
				$modified_message[ $label ] = html_entity_decode( esc_attr( Helper::get_string_value( $value ) ) );
			}
		}
	}

	// If the address is not empty, add it to the submission data.
	// We are providing this for third-party integrations like Ottokit.
	// They can use compact addresses such as permanent address, temporary address, etc.
	// The address will be structured as field 1, field 2, and so on.
	if ( ! empty( $this->addresses ) ) {
		// Address will be JSON stringified, so decode it.
		$address = json_decode( wp_unslash( $this->addresses ), true );
		if ( ! empty( $address ) && is_array( $address ) ) {
			$modified_message = array_merge( $modified_message, $address );
		}
	}

	return $modified_message;
}

This makes it possible for an attacker to submit a file array with an arbitrary file path when submitting the form, even when the form does not include any file fields.

Further examination of the code reveals that the plugin uses the delete_entry_files() function in the Entries_List_Table class to delete a form submission’s uploaded files, when the form submission is deleted manually by the administrator.

public static function delete_entry_files( $entry_id ) {
    if ( ! $entry_id ) {
        return;
    }
    // Get the entry data to get the file URLs.
    $form_data = Entries::get_form_data( $entry_id );
    if ( empty( $form_data ) ) {
        return;
    }
    foreach ( $form_data as $field_name => $value ) {
        // Continue to the next iteration if the field name does not contain 'srfm-upload' and value is not an array.
        if ( false === strpos( $field_name, 'srfm-upload' ) && ! is_array( $value ) ) {
            continue;
        }
        foreach ( $value as $file_url ) {
            // If the file URL is empty, skip to the next iteration.
            if ( empty( $file_url ) ) {
                continue;
            }
            $file_path = Helper::convert_fileurl_to_filepath( urldecode( $file_url ) );

            // Delete the file if it exists.
            if ( file_exists( $file_path ) ) {
                unlink( $file_path );
            }
        }
    }

    // Action to run after deleting the entry files.
    do_action( 'srfm_after_deleting_entry_files', $form_data, $entry_id );
}

Unfortunately, the function does not perform any field type checks or file extension checks, nor does it perform any upload directory restriction checks. This means that this function deletes all files contained in the form data, if the form data value is a file array. As previously established, users can supply a file array to an arbitrary path in any form submission field, even when the field should not accept files. This makes the vulnerability exploitable on any instance with an active form.

Ultimately, this makes it possible for unauthenticated attackers to specify arbitrary files on the server, including the site’s wp-config.php file, and the file will be deleted, when the submission is deleted. Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.

While this vulnerability does require a step of passive or active interaction to exploit, we believe that form submission deletion, especially if created to appear spammy, is a very likely situation to occur making this vulnerability a prime target for attackers. We recommend ensuring all WordPress sites have been updated as soon as possible.

This vulnerability is almost identical to the one we recently covered in Formidable Forms, so we strongly recommend developers take some time to review their code for similar mistakes and utilize this as a learning experience for future development.

The Patch

The vendor patched this issue by adding a file path check with the delete_upload_file_from_subdir() function. This means that the path is restricted to the sureforms subdirectory in the WordPress uploads directory.

public static function delete_entry_files( $entry_id ) {
    if ( ! $entry_id ) {
        return;
    }
    // Get the entry data to get the file URLs.
    $form_data = Entries::get_form_data( $entry_id );
    if ( empty( $form_data ) ) {
        return;
    }
    foreach ( $form_data as $field_name => $value ) {
        // Continue to the next iteration if the field name does not contain 'srfm-upload' and value is not an array.
        if ( false === strpos( $field_name, 'srfm-upload' ) && ! is_array( $value ) ) {
            continue;
        }
        foreach ( $value as $file_url ) {
            // If the file URL is empty, skip to the next iteration.
            if ( empty( $file_url ) ) {
                continue;
            }
            // Delete the file from the uploads directory.
            Helper::delete_upload_file_from_subdir( $file_url, 'sureforms/' );
public static function delete_upload_file_from_subdir( $file_url, $subdir = 'sureforms/' ) {
    // Decode the file URL.
    $file_url = urldecode( $file_url );

    // Check if the file URL is empty.
    if ( empty( $file_url ) || ! is_string( $file_url ) ) {
        return false;
    }

    // Normalize and sanitize the subdirectory.
    $subdir = trailingslashit( sanitize_text_field( $subdir ) );

    // Get the base upload directory.
    $upload_dir       = wp_upload_dir();
    $base_upload_path = trailingslashit( $upload_dir['basedir'] ) . $subdir;

    // Extract only the filename from URL.
    $filename = basename( $file_url );

    // Construct the full file path.
    $file_path = $base_upload_path . $filename;

    // Resolve real paths.
    $real_file_path = realpath( $file_path );
    $real_base_path = realpath( $base_upload_path );

    // Security check: ensure file is inside the target subdir.
    if ( ! $real_file_path || ! $real_base_path || strpos( $real_file_path, $real_base_path ) !== 0 ) {
        return false;
    }

    // Delete if file exists.
    if ( file_exists( $real_file_path ) ) {
        return unlink( $real_file_path );
    }

    return false;
}

We provided additional recommendations to the developer to further harden this endpoint that they plan to explore adding in a future release.

Disclosure Timeline

June 21, 2025 – We received the submission for the Arbitrary File Deletion vulnerability in SureForms via the Wordfence Bug Bounty Program.
June 25, 2025 – We validated the report and confirmed the proof-of-concept exploit. We send an initial outreach to the vendor inviting them to leverage the Wordfence Vulnerability Management Portal for managing the new vulnerability disclosure.
June 26, 2025Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
June 26, 2025 – The vendor responds and opts to utilize email for this disclosure.
June 26, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
June 30, 2025 – The fully patched version of the plugin, 1.7.4, was released along with 8 additional backported point releases (1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, 0.0.14). Brainstorm Force worked with the WordPress plugin’s team to undergo a forced update of the patched versions.
July 26, 2025 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed an Arbitrary File Deletion vulnerability within the SureForms plugin affecting versions 1.7.3 and earlier. This vulnerability allows unauthenticated threat actors to delete arbitrary files on the server which can be leveraged to achieve remote code execution and lead to complete site compromise. The vulnerability has been addressed in version 1.7.4 of the plugin, along with 8 additional point releases (1.6.5, 1.5.1, 1.4.5, 1.3.2, 1.2.5, 1.1.2, 1.0.7, 0.0.14).

We encourage WordPress users to verify that their sites are updated to the latest patched version of SureForms as soon as possible considering the critical nature of this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 26, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on July 26, 2025.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in SureForms WordPress Plugin appeared first on Wordfence.

Leave a Comment