A high-severity vulnerability in the popular Forminator plugin for WordPress, tracked as CVE-2025-6463, could allow attackers to delete arbitrary files and potentially take over entire websites.
The flaw, rated 8.8 on the CVSS scale, affects all Forminator versions up to 1.44.2 and stems from unsafe file handling and inadequate input validation.
Forminator, developed by WPMU DEV, is used on over 600,000 websites and enables users to build forms through a drag-and-drop interface. However, its save_entry_fields() function fails to properly validate whether form fields should accept file inputs. Attackers can exploit this to submit fake file paths—such as targeting the critical wp-config.php file—via form fields not intended to handle uploads.
Once the plugin’s auto-deletion mechanism or an admin action triggers, the crafted input can lead to the deletion of core WordPress files. This pushes the site into setup mode, allowing an attacker to link it to a malicious database and gain full control, according to a report from Wordfence.
The vulnerability was discovered by researcher Phat RiO–BlueRock, who earned an $8,100 bounty after responsibly disclosing it to Wordfence on June 20. WPMU DEV responded swiftly, releasing a patched version (1.44.3) on June 30, which includes improved input validation and restricts file deletions to the uploads directory.
Although no active exploitation has been reported yet, the public disclosure of technical details and ease of abuse could lead to attacks. Website owners using Forminator are strongly advised to update immediately or temporarily deactivate the plugin to mitigate risk.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
