A critical vulnerability in the Forminator WordPress plugin could allow attackers to gain control of over 400,000 websites.
Forminator is a widely used form builder plugin with more than 600,000 active installations. It enables users to create various forms, such as contact, payment, and polls.
The plugin was found to contain a flaw tracked as CVE-2025-6463, with a CVSS score of 8.8. This arbitrary file deletion vulnerability occurs because the plugin does not properly validate file paths in a function that deletes uploaded files from form submissions.
According to security firm Defiant, the function that stores form field entries in the database fails to properly sanitize field values. This flaw allows attackers to submit file arrays through form fields.
Additionally, the function used to delete uploaded files when a form is removed does not check for valid field types, file extensions, or proper upload directories.
Defiant explains that the function will delete all files listed in the metadata if it receives a file array. Since users can supply a file array in any form field, even when the field should not accept files, this makes the vulnerability exploitable on any active form.
The vulnerability can be used by unauthenticated attackers to delete any file on the server by targeting a form for deletion. This can happen either manually or automatically, based on the site’s configuration.
One potential attack involves deleting the site’s wp-config.php file. This forces the site into a setup state, allowing an attacker to take full control. Although the exploit requires a form deletion event, attackers can easily trigger this by submitting spam-like entries, making it a highly exploitable issue.
Forminator version 1.44.3 fixes the vulnerability by adding a file path check. Now, the deletion function only removes files uploaded through designated ‘upload’ or ‘signature’ fields located within the WordPress uploads directory.
The patch was released on June 30, but WordPress stats show it has only been downloaded fewer than 200,000 times. This means over 400,000 websites remain at risk.
The researcher who discovered the vulnerability reported it through the Wordfence Bug Bounty Program and received an $8,100 reward.
Users are strongly advised to update their Forminator plugin to the latest version immediately to protect their sites from potential attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
