A critical security flaw in the popular Forminator WordPress plugin has put more than 600,000 websites worldwide at risk of remote takeover, according to recent disclosures from security firm Wordfence and independent researchers.
The vulnerability, tracked as CVE-2025-6463 and rated 8.8 (High) on the CVSS scale, allows unauthenticated attackers to delete arbitrary files from affected servers—potentially leading to full site compromise.
How the Vulnerability Works
The flaw exists in all Forminator versions up to and including 1.44.2. It stems from insufficient validation in the plugin’s handling of file deletions during form submission processing.
Attackers can craft a form submission containing a malicious file path; when the submission is deleted—either manually by an administrator or automatically by plugin settings—the referenced file is also deleted.
| Field | Value |
| CVE-ID | CVE-2025-6463 |
| Plugin Name | Forminator Forms – Contact Form, Payment Form & Custom Form Builder |
| Affected Versions | <= 1.44.2 |
| Patched Version | 1.44.3 |
| Vulnerability Type | Unauthenticated Arbitrary File Deletion |
| CVSS Rating | 8.8 (High) |
Of particular concern is the ability to target critical files such as wp-config.php. Deleting this configuration file forces WordPress into setup mode, enabling an attacker to connect the site to a database under their control and potentially take over the site entirely.
“This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution,” Wordfence explained.
Security researcher Phat RiO – BlueRock discovered the vulnerability and reported it responsibly through the Wordfence Bug Bounty Program, earning an $8,100 reward—the highest in the program’s history.
The WPMU DEV team, developers of Forminator, responded promptly and released a patched version (1.44.3) on June 30, 2025.
Wordfence deployed a firewall rule to protect premium users on June 26, with free users set to receive the same protection by July 26, 2025.
Technical Details and Patch
The vulnerability resided in the entry_delete_upload_files() function, which failed to restrict file deletions to legitimate upload fields or to files within the WordPress uploads directory.
The patch now ensures that only files uploaded through designated ‘upload’ or ‘signature’ fields can be deleted, and only if they reside within the uploads directory. File names are also sanitized and paths normalized to prevent abuse.
What Site Owners Should Do
- Update Forminator immediately to version 1.44.3 or higher.
- Review form submission and deletion settings for suspicious activity.
- Monitor file system changes and implement security plugins such as Wordfence.
- Back up critical site files and test recovery procedures.
With the simplicity of the attack and the potential for complete site compromise, administrators are urged to act without delay.
This incident underscores the importance of proactive plugin management and robust security practices in the WordPress ecosystem
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
