A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites.
A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated in a function used to delete a form submission’s uploaded files.
According to WordPress security firm Defiant, the function that Forminator uses to save form entry fields to the database does not perform proper sanitization of the values in the field, which allows attackers to submit file arrays in the form’s fields.
Furthermore, the function responsible for deleting the files submitted through the form, when deleting the form, lacks the necessary checks for field type, file extension, and upload directory restrictions.
“This means that this function deletes all files contained in the meta value, if the meta value is a file array. As previously established, users can supply a file array in any form submission field, even when the field should not accept files. This makes the vulnerability exploitable on any instance with an active form,” Defiant explains.
According to the security firm, the vulnerability can be exploited by unauthenticated attackers to specify arbitrary files on the server that would be deleted when a form is deleted, either manually or automatically, depending on the installation’s settings.
Attackers, Defiant explains, could specify the site’s wp-config.php file for deletion, which would result in the site entering the setup state, allowing the attacker to take control of it.
“While this vulnerability does require a step of passive or active interaction to exploit, we believe that form submission deletion, especially if created to appear spammy, is a very likely situation to occur making this vulnerability a prime target for attackers,” Defiant notes.
CVE-2025-6463 was resolved in Forminator version 1.44.3 with the addition of a file path check to the deletion function, which now only erases files uploaded through form fields that have the ‘upload’ or ‘signature’ mark, and are placed in the WordPress uploads directory.
The patched plugin iteration was released on June 30, but WordPress data shows that it has been downloaded less than 200,000 times over the past two days, which suggests that more than 400,000 websites remain vulnerable.
The security researcher who discovered the bug and reported it through the Wordfence Bug Bounty Program received an $8,100 bug bounty reward, Defiant says.
Given the risk this vulnerability poses, users are advised to update their Forminator installations to the latest version as soon as possible.
Related: Motors Theme Vulnerability Exploited to Hack WordPress Websites
Related: Second OttoKit Vulnerability Exploited to Hack WordPress Sites
Related: Threat Actors Deploy WordPress Malware in ‘mu-plugins’ Directory
