CVE-2025-6742: 
WordPress vulnerability analysis and mitigation

The SureForms – Drag and Drop Form Builder for WordPress plugin contains a PHP Object Injection vulnerability (CVE-2025-6742) affecting all versions up to and including 1.7.3. The vulnerability exists in the delete_entry_files() function due to unrestricted use of file_exists(), allowing unauthenticated attackers to inject PHP Objects (NVD).

The vulnerability stems from improper input validation in the delete_entry_files() function where the file_exists() function is used without proper path restrictions. While the vulnerability allows for PHP Object injection by unauthenticated attackers, it requires a POP (Property Oriented Programming) chain from another installed plugin or theme to be exploitable. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (NVD).

If a POP chain is present via an additional plugin or theme installed on the target system, successful exploitation could allow attackers to perform various malicious actions including deletion of arbitrary files, retrieval of sensitive data, or execution of arbitrary code depending on the available POP chain (NVD).

The vulnerability has been patched in version 1.7.4 of the SureForms plugin. Site administrators are strongly advised to update to this latest version to protect against potential exploitation (WordPress Plugin).