The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks.
The security issue is tracked as CVE-2025-6463 and has a high-severity impact (CVSS 8.8 score). It impacts all versions of Forminator up to 1.44.2.
Forminator Forms is a plugin developed by WPMU DEV. It offers a flexible, visual drag‑and‑drop builder to help users create and embed a wide range of form-based content on WordPress sites.
According to statistics from WordPress.org, the plugin is currently active on more than 600,000 websites.
The vulnerability stems from insufficient validation and sanitization of form field input and unsafe file deletion logic in the plugin’s backend code.
When a user submits a form, the ‘save_entry_fields()’ function saves all field values, including file paths, without checking if those fields are supposed to handle files.
An attacker could exploit this behavior to insert a crafted file array into any field, including text fields, mimicking an uploaded file with a custom path that points to a critical file, such as ‘/var/www/html/wp-config.php.’
When the admin deletes this or when the plugin auto-deletes old submissions (as configured), Forminator wipes the core WordPress file, forcing the website to enter a “setup” stage where it’s vulnerable to takeover.
“Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control,” explains Wordfence.
Discovery and patching
... continue reading