A critical arbitrary file deletion vulnerability has been discovered in the SureForms WordPress plugin, affecting over 200,000 active installations and potentially enabling unauthenticated attackers to achieve full site takeover.
The flaw, tracked as CVE-2025-6691 with a CVSS score of 8.8 (High), resides in versions up to 1.7.3 of the plugin, which is developed by Brainstorm Force.
https://gbhackers.com/severe-wordpress-plugin-flaw/