A significant security flaw has been identified in the Forminator WordPress plugin, a tool utilized by over 600,000 websites globally. This vulnerability, designated as CVE-2025-6463 with a CVSS score of 8.8, permits unauthenticated attackers to delete arbitrary files on the server, including critical files like `wp-config.php`. Exploitation of this flaw can lead to complete site takeover and remote code execution.
Understanding the Vulnerability
Forminator is a widely adopted WordPress plugin that enables users to create various forms, such as contact forms, payment forms, quizzes, and polls, through an intuitive drag-and-drop interface. The identified vulnerability resides in the `entry_delete_upload_files()` function, which processes the deletion of form submissions. Due to insufficient validation of file paths, attackers can craft malicious form submissions containing arbitrary file paths. When these submissions are deleted—either manually by administrators or automatically through plugin settings—the specified files are permanently removed from the server.
Potential Impact
The most critical scenario involves the deletion of the `wp-config.php` file, which contains essential configuration details for WordPress, including database credentials and security keys. Removing this file forces WordPress into a setup state, allowing attackers to reconfigure the site with a database under their control, effectively achieving full site compromise. Beyond `wp-config.php`, attackers could target other vital files, leading to data loss, service disruption, and further security breaches.
Technical Details
The vulnerability affects all versions of Forminator up to and including 1.44.2. The core issue lies in the `save_entry_fields()` function within the `Forminator_CForm_Front_Action` class, which fails to adequately sanitize form field values. This function calls `set_fields()` in the `Forminator_Form_Entry_Model` class, storing serialized metadata directly in the database without proper validation. Consequently, attackers can submit file arrays in any form field, even those not intended for file uploads.
The `entry_delete_upload_files()` function lacks proper security checks, processing all metadata values that match a file array structure without verifying field types, file extensions, or upload directory restrictions. It utilizes `wp_delete_file($path)` to remove files, enabling attackers to target any file on the server that the web server process has permissions to delete. By submitting forms with crafted file path values such as `../../../wp-config.php`, attackers can exploit this vulnerability to delete critical system files.
Discovery and Disclosure
Security researcher Phat RiO – BlueRock discovered and responsibly disclosed this flaw through Wordfence’s Bug Bounty Program, earning the highest bounty of $8,100 awarded to date. The vulnerability was initially reported on June 20, 2025, affecting all versions of Forminator up to and including version 1.44.2.
Mitigation Measures
To protect websites from potential exploitation, it is imperative for administrators to update the Forminator plugin to version 1.44.3 or later immediately. This update addresses the vulnerability by implementing proper validation and sanitization of file paths, ensuring that only authorized files are deleted during form submission processing.
Recommendations for Enhanced Security
1. Immediate Update: Ensure that the Forminator plugin is updated to version 1.44.3 or later to patch the vulnerability.
2. Regular Plugin Maintenance: Keep all WordPress plugins and themes updated to their latest versions to benefit from security patches and improvements.
3. Limit Plugin Usage: Use only essential plugins to reduce the attack surface and minimize potential vulnerabilities.
4. Regular Backups: Implement a robust backup strategy to ensure that recent copies of the website are available for restoration in case of compromise.
5. Monitor for Suspicious Activity: Utilize security plugins and monitoring tools to detect and respond to unauthorized activities promptly.
Conclusion
The discovery of CVE-2025-6463 in the Forminator WordPress plugin underscores the critical importance of maintaining up-to-date software and implementing robust security practices. By promptly updating to the latest version and adhering to recommended security measures, website administrators can safeguard their sites against potential exploitation and ensure the integrity and availability of their online presence.
