Forminator WordPress Plugin Flaw (CVE-2025-6463, CVSS 8.8): Unauthenticated Arbitrary File Deletion Leads to Site Takeover

A critical vulnerability has been discovered in the popular WordPress plugin Forminator, enabling unauthenticated attackers to arbitrarily delete files from a website. This flaw poses a significant threat, potentially allowing full compromise of targeted resources. Identified as CVE-2025-6463, it carries a CVSS severity score of 8.8 and is classified as critical.

Forminator Forms, developed by WPMU DEV, provides a flexible visual form builder, empowering website owners to design and embed various types of forms without the need for coding. According to official WordPress.org statistics, the plugin is currently active on over 600,000 websites worldwide.

The vulnerability stems from inadequate validation and sanitization of incoming form data, combined with insecure file deletion logic within the plugin’s backend code. Specifically, the flaw lies in the save_entry_fields() function, which stores values from all form fields—including file paths—without verifying whether the field is intended for file handling.

This behavior can be exploited by malicious actors who inject a specially crafted data array into any text field, mimicking a file upload. Such an array may contain a path to a critical site file, such as WordPress’s configuration file located at /var/www/html/wp-config.php. If the administrator deletes the field or if the plugin’s auto-cleanup feature is triggered, the file is physically erased from the server.

Deleting the WordPress configuration file sends the site into its initial setup mode. At this stage, an attacker could link the site to their own database, thereby gaining full control.

According to the Wordfence security team, this mechanism renders the vulnerability particularly dangerous. They emphasize that a successful exploit doesn’t merely corrupt files—it exposes the entire website to potential takeover.

The vulnerability was discovered by a researcher known as Phat RiO from BlueRock, who responsibly disclosed the issue to Wordfence on June 20. For this critical find, he was awarded $8,100. After verifying the report, Wordfence contacted the plugin’s developer, WPMU DEV, on June 23. The company confirmed the issue and initiated remediation.

On June 30, Forminator version 1.44.3 was released, introducing field type validation and stricter path sanitization to prevent file deletion outside of WordPress’s upload directory.

Since its release, the updated plugin has been downloaded over 200,000 times. However, the number of websites that remain vulnerable to CVE-2025-6463 is currently unknown.

Users of Forminator are strongly advised to update to the latest version immediately or disable the plugin temporarily until a secure version is installed. While there have been no confirmed reports of the vulnerability being exploited in the wild, the disclosure of technical details and ease of exploitation significantly increase the likelihood of imminent attacks.