The Forminator plugin for WordPress is weak to an unauthenticated arbitrary file deletion flaw that would allow full web site takeover assaults.
The safety concern is tracked as CVE-2025-6463 and has a high-severity influence (CVSS 8.8 rating). It impacts all variations of Forminator as much as 1.44.2.
Forminator Types is a plugin developed by WPMU DEV. It provides a versatile, visible drag‑and‑drop builder to assist customers create and embed a variety of form-based content material on WordPress websites.
In accordance with statistics from WordPress.org, the plugin is presently lively on greater than 600,000 web sites.
The vulnerability stems from inadequate validation and sanitization of kind discipline enter and unsafe file deletion logic within the plugin’s backend code.
When a consumer submits a kind, the ‘save_entry_fields()’ perform saves all discipline values, together with file paths, with out checking if these fields are imagined to deal with information.
An attacker might exploit this conduct to insert a crafted file array into any discipline, together with textual content fields, mimicking an uploaded file with a customized path that factors to a important file, equivalent to ‘/var/www/html/wp-config.php.’
When the admin deletes this or when the plugin auto-deletes outdated submissions (as configured), Forminator wipes the core WordPress file, forcing the web site to enter a “setup” stage the place it’s weak to takeover.
“Deleting wp-config.php forces the location right into a setup state, permitting an attacker to provoke a web site takeover by connecting it to a database underneath their management,” explains Wordfence.
Discovery and patching
CVE-20256463 was found by safety researcher ‘Phat RiO – BlueRock’ who reported it to Wordfence on June 20 and obtained a bug bounty of $8,100.
Following inside validation of the exploit, Wordfence contacted WPMU DEV on June 23, who acknowledged the report and began engaged on a repair.
On June 30, the seller launched Forminator model 1.44.3, which provides a discipline sort examine and a file path validation that ensures deletions are restricted to the WordPress uploads listing.
For the reason that launch of the patch, there have been 200,000 downloads however it’s unclear what number of are presently weak to CVE-2025-6463 exploitation.
When you use Forminator to your web site, it is strongly recommended to replace it to the newest model or deactivate the plugin till you possibly can transfer to a protected model.
Right now, there are not any stories about lively exploitation of CVE-2025-6463, however the public disclosure of the technical particulars mixed with the benefit of exploitation might result in risk actors shifting shortly to exploring its potential in assaults.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key strategies utilized by cloud-fluent risk actors.
