71 matches found
CVE-2025-5921
CVE-2025-5921 affects the SureForms WordPress plugin prior to version 1.7.2. The vulnerability is a Reflected Cross-Site Scripting caused by insufficient sanitisation/escaping of a parameter before output, potentially exploitable against both authenticated and unauthenticated users. Remediation: ...
CVE-2025-5921 SureForms < 1.7.2 - Reflected XSS
The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users...
CVE-2025-5921 SureForms < 1.7.2 - Reflected XSS
The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users...
PT-2025-31616 Β· WordPress Β· Sureforms
Name of the Vulnerable Software and Affected Versions: SureForms WordPress plugin versions prior to 1.7.2 Description: The SureForms WordPress plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. This can be...
WordPress SureForms plugin < 1.7.2 - Reflected XSS vulnerability
Reflected XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin SureForms versions 1.7.2...
CVE-2025-6742
The SureForms β Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...
CVE-2025-6691
The SureForms β Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteentryfiles function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to...
200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in SureForms WordPress Plugin
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters!π’ π Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards forall in-scope submissions from our βHigh Threatβ list in software with fewer than 5 million active installs. Bounties up to $31,200 per...
CVE-2025-6742
The SureForms β Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...
CVE-2025-6742
Mode C: CVE-2025-6742 affects the WordPress plugin SureForms β Drag and Drop Form Builder for WordPress up to version 1.7.3. The root cause is use of file_exists() in delete_entry_files() with no path restriction, enabling unauthenticated PHP Object Injection. The report notes that no known POP c...
CVE-2025-6691 SureForms β Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Submission Deletion
The SureForms β Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteentryfiles function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to...
CVE-2025-6691
CVE-2025-6691 affects the WordPress plugin SureForms β Drag and Drop Form Builder (Brainstorm Force) up to version 1.7.3. The vulnerability arises from insufficient file path validation in the delete_entry_files() function, enabling unauthenticated attackers to delete arbitrary files on the serve...
CVE-2024-12713
The SureForms β Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handleexportform function due to a missing capability check. This makes it possible for unauthenticated attackers to export data...
CVE-2025-3514
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WordPress SureForms plugin < 1.4.4 - Admin+ Stored XSS vulnerability
Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin SureForms versions 1.4.4...
CVE-2025-3514
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3513 SureForms < 1.4.4 - Admin+ Stored XSS
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3513 SureForms < 1.4.4 - Admin+ Stored XSS
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3514 SureForms < 1.4.4 - Admin+ Stored XSS
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3514 SureForms < 1.4.4 - Admin+ Stored XSS
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...