Critical WordPress Plugin Vulnerability Exposes 600,000+ Sites to Remote Takeover

A severe arbitrary file deletion vulnerability has been discovered in the popular Forminator WordPress plugin, affecting over 600,000 active installations worldwide. 

The vulnerability, assigned CVE-2025-6463 with a high CVSS rating of 8.8, allows unauthenticated attackers to delete critical system files, including wp-config.php, potentially leading to complete site takeover and remote code execution.

Summary
1. Forminator plugin has an arbitrary file deletion vulnerability (CVE-2025-6463, CVSS 8.8) allowing unauthenticated attacks.
2. Malicious form submissions with arbitrary file paths delete specified files when submissions are removed by admins or auto-deletion.
3. Can delete wp-config.php, forcing the site into setup mode, enabling complete takeover and remote code execution.
4. Update immediately to version 1.44.3 - all versions ≤1.44.2 are vulnerable.

Security researcher Phat RiO – BlueRock discovered and responsibly disclosed this flaw through Wordfence’s Bug Bounty Program, earning the highest bounty of $8,100 awarded to date.

File Deletion Vulnerability 

The vulnerability was initially reported on June 20, 2025, affecting all versions of Forminator up to and including version 1.44.2. 

Forminator is a widely used WordPress form builder plugin that enables users to create contact forms, payment forms, quizzes, and polls through an intuitive drag-and-drop interface. 

The security flaw stems from insufficient file path validation in the entry_delete_upload_files() function, which processes form submission deletions.

What makes this vulnerability particularly dangerous is its potential for unauthenticated exploitation. 

Attackers can craft malicious form submissions containing arbitrary file paths, and when these submissions are deleted—either manually by administrators or automatically through plugin settings—the specified files are permanently removed from the server. 

The most critical attack scenario involves deleting the wp-config.php file, which contains database credentials and security keys. 

When this file is removed, WordPress enters a setup state, allowing attackers to configure the site with a database under their control, effectively achieving complete site compromise.

Technical details reveal that the vulnerability exists within the save_entry_fields() function in the Forminator_CForm_Front_Action class, which fails to perform adequate sanitization on form field values. 

The function calls set_fields() in the Forminator_Form_Entry_Model class, storing serialized metadata directly in the database without validation. This allows attackers to submit file arrays in any form field, even those not designed to accept file uploads.

The core issue lies in the entry_delete_upload_files() function’s lack of proper security checks. 

The vulnerable code processes all metadata values that match a file array structure without verifying field types, file extensions, or upload directory restrictions. 

The function uses wp_delete_file($path) to remove files, making it possible to target any file on the server that the web server process has permissions to delete. 

Attackers can exploit this by submitting forms with crafted file path values such as ../../../wp-config.php or other critical system files.

Mitigations

WPMU DEV, the plugin developer, responded promptly to the vulnerability disclosure and released a comprehensive patch in version 1.44.3 on June 30, 2025. 

The patch implements multiple security layers, including field type validation, restricting file deletion to only ‘upload’ and ‘signature’ field types, and implementing upload directory path restrictions using wp_normalize_path() and realpath() functions.

The patched code now includes strpos() validation to ensure file paths remain within the WordPress uploads directory, preventing directory traversal attacks. 

Additionally, the fix incorporates sanitize_file_name() checks to validate file basenames before deletion. 

WordPress administrators are strongly urged to update to version 1.44.3 immediately to prevent potential exploitation of this critical vulnerability.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free