243/68 Friday, July 4, 2025
Cybersecurity experts from Defiant have disclosed a critical vulnerability in the popular WordPress plugin Forminator, which is used to create forms such as contact forms, payment forms, and surveys. The plugin has over 600,000 active installations worldwide. The vulnerability, identified as CVE-2025-6463, has been assigned a CVSS severity score of 8.8, classifying it as high risk. It stems from inadequate file path validation in the plugin’s file deletion function, potentially allowing attackers to delete arbitrary files on the server.
According to researchers, the plugin fails to properly sanitize data saved from form submissions. This allows attackers to inject unexpected file data into form fields. When the form is deleted-either by an admin or through automated processes-the file deletion function does not verify the file type or field type, enabling deletion of any file on the server. For example, if the wp-config.php file is deleted, the WordPress site enters setup mode, allowing an attacker to hijack the site instantly.
Although the vulnerability has been patched in version 1.44.3, released on June 30, which now restricts file deletion to only designated upload fields, data from WordPress.org indicates that fewer than 200,000 sites have installed the update in the past two days. This means over 400,000 sites remain vulnerable.
The researcher who discovered the flaw was awarded $8,100 USD through the Wordfence Bug Bounty Program. All users of the Forminator plugin are strongly urged to update to the latest version immediately to protect their websites from potential exploitation.
