A severe vulnerability in the widely used Forminator WordPress plugin has been disclosed, exposing websites to the risk of arbitrary file deletion and potential site takeover.
The flaw, which affects versions up to 1.44.2, allows unauthenticated users to include arbitrary file paths in form submissions. These files are deleted once the form submission itself is removed, either manually by administrators or automatically through plugin settings.
The vulnerability, tracked as CVE-2025-6463, was uncovered by security researcher Phat RiO, BlueRock and reported via the Wordfence Bug Bounty Program.
By submitting file paths disguised within ordinary fields, such as a name input, attackers could target critical configuration files, including wp-config.php. When this file is deleted, the WordPress site enters setup mode, allowing an attacker to hijack the site by connecting it to a database they control. This can result in full site compromise and remote code execution.
Read more on WordPress plugin security threats: New WordPress Malware Masquerades as Plugin
Technically, the vulnerability stems from two flawed components in the plugin’s code.
First, the function saving form entries lacked input sanitization, allowing attackers to submit file arrays in unexpected fields.
Second, the deletion logic failed to validate file types, extensions or upload directories, indiscriminately removing files if structured as a file array.
The vendor, WPMU DEV, responded promptly after being contacted on June 23 2025.
Following registration with Wordfence’s Vulnerability Management Portal on June 25, they received full disclosure and issued a patch five days later. The fix introduces checks for allowed field types and ensures that file paths are restricted to the WordPress uploads directory.
Users are strongly urged to update to Forminator version 1.44.3 immediately. This vulnerability affects any site with the plugin installed, regardless of how forms are configured.
While exploitation requires the submission to be deleted, researchers caution that spammy entries are often targeted for removal, making this an attractive vector for attackers.
No tags.
