CVE-2025-6463

Name of the Vulnerable Software and Affected Versions: Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.44.2

Description: The Forminator plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the entry delete upload files function. This allows unauthenticated attackers to include arbitrary file paths in a form submission, which can be deleted when the form submission is deleted, either by an administrator or through auto-deletion determined by plugin settings. This can lead to remote code execution when the right file is deleted, such as wp-config.php. The vulnerability affects over 600,000 WordPress sites and has been actively exploited, with cases of mass deletion of wp-config.php and subsequent site takeover reported.

Recommendations: To resolve the issue for versions up to and including 1.44.2, update the Forminator plugin to version 1.44.3 or higher immediately. Additionally, consider temporarily disabling automatic form deletion or restricting access to minimize the risk of exploitation until the update is applied. Monitor logs for file deletion requests outside of /wp-content/uploads/ and implement WAF rules to block HTTP requests with file path parameters. Consider using additional security plugins, such as Wordfence, for proactive monitoring.