CVE-2025-6742 SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...

PT-2025-28843 · WordPress · Sureforms

Name of the Vulnerable Software and Affected Versions: SureForms – Drag and Drop Form Builder for WordPress plugin versions through 1.7.3 Description: The SureForms – Drag and Drop Form Builder for WordPress plugin is susceptible to arbitrary file deletion due to inadequate file path validation...

PT-2025-28844 · WordPress · Sureforms

Name of the Vulnerable Software and Affected Versions: SureForms – Drag and Drop Form Builder for WordPress versions up to 1.7.3 Description: The issue allows unauthenticated attackers to inject a PHP object through the use of file exists in the delete entry files function without restriction on...

CVE-2025-3513

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-3514

Summary (CVE-2025-3514): The SureForms WordPress plugin is affected (versions before 1.4.4). The issue stems from insufficient sanitization/escaping of certain Form settings, enabling stored XSS by high-privilege users (e.g., admins), even when unfiltered_html is disallowed (such as on multisite)...