CyberSecurityBoard
Sponsor Register Login

Critical WordPress Plugin Vulnerability Exposes 200k Websites to Site Takeover Attack

The vulnerability, assigned CVE-2025-6691 with a CVSS score of 8.8, allows unauthenticated attackers to delete arbitrary files on affected servers, including the crucial wp-config.php file that controls WordPress database connections. The SureForms plugin, a popular drag-and-drop form builder for WordPress, contains a fundamental flaw in its file handling mechanism that enables malicious actors to exploit form submissions without requiring any authentication. Brainstorm Force released patches on June 30, 2025, implementing proper path validation through the delete_upload_file_from_subdir() function to restrict file operations to the sureforms subdirectory. A critical security vulnerability has been discovered in the SureForms WordPress plugin, affecting over 200,000 websites worldwide and potentially exposing them to complete site takeover attacks. When attackers successfully delete the wp-config.php file, they can force the WordPress site into setup mode, allowing them to establish their own database connection and effectively take control of the entire website. The technical root of this vulnerability lies in the plugin’s inadequate validation of file paths during form submission processing. The vulnerability stems from insufficient checks in the prepare_submission_data() function, which fails to validate user-supplied file paths properly. Attackers can manipulate form submissions to include arbitrary file paths, even in forms without file upload fields. When administrators delete these submissions, the malicious file paths are processed, resulting in the deletion of critical system files. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Wordfence analysts identified this vulnerability through their Bug Bounty Program, where security researcher Phat RiO from BlueRock discovered and responsibly reported the flaw on June 21, 2025. However, the function performs no field type validation, file extension checks, or upload directory restriction verification. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 11 Jul 2025 06:10:14 +0000


Cyber News related to Critical WordPress Plugin Vulnerability Exposes 200k Websites to Site Takeover Attack

CVE-2023-2813 - All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before ...
1 year ago
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Critical WordPress Plugin Vulnerability Exposes 200k Websites to Site Takeover Attack - The vulnerability, assigned CVE-2025-6691 with a CVSS score of 8.8, allows unauthenticated attackers to delete arbitrary files on affected servers, including the crucial wp-config.php file that controls WordPress database connections. The SureForms ...
4 days ago Cybersecuritynews.com CVE-2025-6691
WordPress Request Architecture and Hooks - Before diving into the security features of WordPress, it's critical to understand the underlying request architecture. WordPress is a dynamic system that processes and responds to user requests in various ways, depending on the nature of the request ...
1 year ago Wordfence.com
50K WordPress sites exposed to RCE attacks by critical bug in backup plugin - A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites. Known as Backup Migration, the plugin helps admins automate site backups to ...
1 year ago Bleepingcomputer.com CVE-2023-6553 CVE-2023-45124 Hunters
Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
1 year ago Wordfence.com
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com
Critical WordPress Plug-in RCE Bug Exposes Reams of Websites to Takeover - A critical unauthenticated remote control execution bug in a backup plug-in that's been downloaded more than 90,000 times exposes vulnerable WordPress sites to takeover - another example of the epidemic of risk posed by flawed plug-ins for the ...
1 year ago Darkreading.com CVE-2023-6553
Many popular websites still cling to password creation policies from 1985 - A significant number of popular websites still allow users to choose weak or even single-character passwords, researchers at Georgia Institute of Technology have found. The researchers used an automated account creation method to assess over 20,000 ...
1 year ago Helpnetsecurity.com
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) - Software Name Software Slug 012 Ps Multi Languages 012-ps-multi-languages ABC APP CREATOR abcapp-creator Absolute Reviews absolute-reviews Accordion accordions Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads quick-adsense-reloaded Advanced File ...
9 months ago Wordfence.com Slug
CVE-2021-24752 - Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top ...
2 years ago
CVE-2021-24219 - The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before ...
2 years ago
WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks - The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the site's database. WP Fastest Cache is a caching plugin used to speed up page loads, improve ...
1 year ago Bleepingcomputer.com CVE-2023-6063
New Balada Injector campaign infects 6,700 WordPress sites - A little over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware in a campaign that launched in mid-December. Initially documented by researchers at Dr. Web who observed ...
1 year ago Bleepingcomputer.com CVE-2023-6000
75K+ WordPress Sites Impacted by Critical Plugin Flaws - A large-scale breach has impacted more than 75,000 WordPress sites that are running an online course plugin. According to security researchers, the plugin has three critical vulnerabilities that could expose customer data and be used to take over ...
2 years ago Bleepingcomputer.com
Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware - Hackers are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code. The flaw leveraged in the attacks is tracked as CVE-2023-6000, a cross-site ...
1 year ago Bleepingcomputer.com CVE-2023-6000
Record Breaking $153,000+ Already Invested into the Security of the WordPress Ecosystem by Wordfence - In just a few short months since our launch in November of last year, the Wordfence Bug Bounty Program has already awarded over $153,000 in bounties to WordPress security researchers who have been responsibly reporting security issues in WordPress ...
1 year ago Wordfence.com
Wordpress Plugin Vulnerability Exposes 200k+ Sites to Code Execution Attacks - Security advisories indicate that while this vulnerability requires the Change Paths feature in WP Ghost to be set to “Lite” or “Ghost” mode (not enabled by default), when exploitable, it allows attackers to leverage several ...
3 months ago Cybersecuritynews.com
WordPress fixes POP chain exposing websites to RCE attacks - WordPress has released version 6.4.2 that addresses a remote code execution vulnerability that could be chained with another flaw to allow attackers run arbitrary PHP code on the target website. WordPress is a highly popular open-source content ...
1 year ago Bleepingcomputer.com
Over 150k WordPress sites at takeover risk via vulnerable plugin - Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. Last month, Wordfence security researchers Ulysses Saicha and ...
1 year ago Bleepingcomputer.com CVE-2023-7027
Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin - On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability ...
1 year ago Wordfence.com
Forminator plugin flaw exposes WordPress sites to takeover attacks - When the admin deletes this or when the plugin auto-deletes old submissions (as configured), Forminator wipes the core WordPress file, forcing the website to enter a “setup” stage where it’s vulnerable to takeover. The Forminator ...
1 week ago Bleepingcomputer.com CVE-2025-6463
WordPress Security Research: A Beginner's Series - Over the coming months, this series will be presented through multiple blog posts, each delving into the fundamentals of WordPress's architecture and security mechanisms while featuring real-world examples of vulnerabilities and their exploitation. ...
1 year ago Wordfence.com
Code Execution Update: Improve WordPress Security - In the ever-evolving landscape of digital security, WordPress has recently released a critical code execution update, version 6.4.2, addressing a potential threat that could jeopardize the integrity of vulnerable sites. This update, triggered by the ...
1 year ago Securityboulevard.com
CVE-2022-4888 - The Checkout Fields Manager WordPress plugin before 1.0.2, Abandoned Cart Recovery WordPress plugin before 1.2.5, Custom Fields for WooCommerce WordPress plugin before 1.0.4, Custom Order Number WordPress plugin through 1.0.1, Custom Registration ...
8 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)