SureForms WordPress Plugin Unauthenticated PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the SureForms - Drag and Drop Form Builder for WordPress plugin, affecting all versions prior to 1.7.4. The vulnerability arises in the delete_entry_files() function, where file_exists() is used without proper path restrictions. This flaw allows unauthenticated attackers to inject PHP objects. While the vulnerable plugin itself does not have a known object injection chain, the vulnerability could be exploited if another plugin or theme with a compatible chain is installed, potentially leading to unauthorized file deletions, data retrieval, or code execution.

Impact

Exploitation of this vulnerability could allow for PHP Object Injection, with the potential for further exploitation if a compatible object injection chain is present through another plugin or theme.

Remediation

Users are advised to update the SureForms WordPress plugin to version 1.7.4 or later.