Article Details

Forminator plugin flaw exposes WordPress sites to takeover attacks. The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks. The security issue is tracked as CVE-2025-6463 and has a high-severity impact (CVSS 8.8 score). It impacts all versions of Forminator up to 1.44.2. Forminator Forms is a plugin developed by WPMU DEV. It offers a flexible, visual drag‑and‑drop builder to help users create and embed a wide range of form-based content on WordPress sites. According to statistics from WordPress.org, the plugin is currently active on more than 600,000 websites. The vulnerability stems from insufficient validation and sanitization of form field input and unsafe file deletion logic in the plugin’s backend code. When a user submits a form, the ‘save_entry_fields()’ function saves all field values, including file paths, without checking if those fields are supposed to handle files. An attacker could exploit this behavior to insert a crafted file array into any field, including text fields, mimicking an uploaded file with a custom path that points to a critical file, such as ‘/var/www/html/wp-config.php.’ When the admin deletes this or when the plugin auto-deletes old submissions (as configured), Forminator wipes the core WordPress file, forcing the website to enter a “setup” stage where it’s vulnerable to takeover. “Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control,” explains Wordfence. Discovery and patching CVE-20256463 was discovered by security researcher ‘Phat RiO – BlueRock’ who reported it to Wordfence on June 20 and received a bug bounty of $8,100. Following internal validation of the exploit, Wordfence contacted WPMU DEV on June 23, who acknowledged the report and started working on a fix. On June 30, the vendor released Forminator version 1.44.3, which adds a field type check and a file path validation that ensures deletions are limited to the WordPress uploads directory. Since the release of the patch, there have been 200,000 downloads but it is unclear how many are currently vulnerable to CVE-2025-6463 exploitation. If you use Forminator for your website, it is recommended to update it to the latest version or deactivate the plugin until you can move to a safe version. At this time, there are no reports about active exploitation of CVE-2025-6463, but the public disclosure of the technical details combined with the ease of exploitation could lead to threat actors moving quickly to exploring its potential in attacks. 8 Common Threats in 2025 While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques. Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.