A high-severity arbitrary file deletion vulnerability in the SureForms WordPress plugin allows an authenticated attacker to delete critical system files, potentially causing a complete denial of service.**

This vulnerability stems from insufficient file path validation within the delete_entry_files() function. An authenticated attacker can exploit this flaw to delete arbitrary files on the server's filesystem, including critical application or system files.

A successful exploit could lead to a complete denial of service by deleting critical configuration files, resulting in significant website downtime and potential data loss. The High severity CVSS score of 8.1 reflects the potential for attackers to cause widespread disruption and impact the integrity and availability of the affected website. This can lead to reputational damage and operational interruption.

Immediate Action: Immediately update the SureForms – Drag and Drop Form Builder for WordPress plugin to the latest patched version. If the plugin is no longer required, it should be deactivated and uninstalled.

Proactive Monitoring: Implement file integrity monitoring to detect unauthorized changes to core WordPress files and plugin directories. Review web server and application logs for suspicious activity related to the delete_entry_files() function.

Compensating Controls: Employ a Web Application Firewall (WAF) with rules designed to block directory traversal attacks and suspicious file manipulation requests, which can provide a layer of defense against exploitation attempts.

Public Exploit Available: false

Given the high potential for service disruption, this vulnerability presents a significant risk to website availability and integrity. We strongly recommend that administrators prioritize the immediate installation of the patched version of the SureForms plugin to prevent potential exploitation. Delaying this action leaves the web server exposed to irreversible file deletion.