A severe security vulnerability discovered in the popular Forminator WordPress plugin has left over 600,000 websites vulnerable to complete takeover by unauthenticated attackers.
The vulnerability, designated CVE-2025-6463 with a critical CVSS rating of 8.8, allows malicious actors to delete arbitrary files from affected servers, potentially leading to remote code execution and full site compromise.
The security vulnerability affects all versions of the Forminator Forms plugin up to version 1.44.2, exploiting insufficient file path validation in the plugin’s file deletion mechanism.
Forminator, a widely-used form builder that enables creation of contact forms, payment forms, and custom forms through a drag-and-drop interface, processes form submissions without proper sanitization of field values.
The vulnerability stems from the plugin’s entry_delete_upload_files() function, which automatically deletes uploaded files when form submissions are removed.
Attackers can exploit this by submitting malicious file paths in any form field, even those not designed to accept file uploads.
When administrators delete these submissions—or when the plugin’s auto-deletion settings trigger—the specified files are permanently removed from the server.
The most dangerous aspect of this vulnerability is its potential to delete critical WordPress files such as wp-config.php.
Removing this essential configuration file forces the website into setup mode, allowing attackers to connect the site to a database under their control and achieve complete administrative access.
This attack vector requires no authentication and can be executed against any site running a vulnerable version of Forminator with an active form.
WordPress Plugin Vulnerability
The vulnerability was discovered and responsibly disclosed by security researcher Phat RiO from BlueRock through the Wordfence Bug Bounty Program on June 20, 2025.
The function calls the set_fields() function in the Forminator_Form_Entry_Model class, which saves the meta key and the serialized meta value in the database.
This discovery earned the researcher a substantial bounty of $8,100, marking the highest payout awarded through Wordfence’s bug bounty program to date.
Following standard disclosure protocols, Wordfence validated the vulnerability within 24 hours and initiated contact with WPMU DEV, the plugin’s developer, on June 23.
The development team demonstrated exceptional responsiveness by registering on Wordfence’s Vulnerability Management Portal within two days and immediately accessing the full disclosure details. This collaborative approach enabled rapid patch development and deployment.
Wordfence implemented protective measures for their premium users on June 26, 2025, deploying firewall rules to block potential exploitation attempts.
Free Wordfence users are scheduled to receive the same protection on July 26, 2025, following the company’s standard 30-day delay for free tier security updates.
Patch Released, Immediate Updates
WPMU DEV successfully addressed the vulnerability by releasing Forminator version 1.44.3 on June 30, 2025.
The patch implements crucial security enhancements including field type validation that restricts file deletion to legitimate upload and signature fields only.
Additionally, the fix enforces path restrictions, ensuring deleted files must reside within WordPress’s designated uploads directory.
The patched version also incorporates file path normalization and basename sanitization to prevent directory traversal attacks and malicious file name manipulation.
Given the critical nature of this vulnerability and the ease of exploitation, WordPress administrators are strongly urged to update their Forminator installations immediately to version 1.44.3 or later to protect against potential attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
