A serious vulnerability in the popular Forminator plugin for WordPress has exposed over 600,000 websites to the risk of complete site takeover. The flaw, now tracked as CVE-2025-6463, has been rated as high severity with a CVSS score of 8.8, making it a top concern for WordPress website administrators.
Forminator, developed by WPMU DEV, is a widely-used WordPress plugin that helps users create contact forms, surveys, polls, quizzes, and more through a drag-and-drop interface. Its flexibility and ease of use have made it a go-to plugin, currently active on more than 600,000 WordPress websites.
However, a critical bug in versions up to 1.44.2 allows unauthenticated attackers to delete arbitrary files from the website’s server. In simple terms, hackers don’t even need to log in to exploit this vulnerability and can potentially erase core WordPress files—effectively bringing down the site and giving them a chance to take full control.
The vulnerability exists due to insufficient input validation and unsafe file deletion logic in the plugin’s backend code. When someone fills out a form created with Forminator, the plugin uses a function called save_entry_fields() to save the form data. This function doesn’t check if the fields are meant to handle files—so an attacker could trick the system by inserting fake file information into regular text fields.
By exploiting this weakness, an attacker can submit a form that appears to contain a file with a path to a critical file on the server, such as:
This particular file is the heart of a WordPress website, containing database access credentials and configuration settings.
If the website’s admin deletes the form submission (or if the plugin is set to auto-delete old entries), the plugin could accidentally delete this core file. Once that happens, the site enters the initial setup mode, giving the attacker an opportunity to reconnect it to a malicious database and fully compromise the website.
According to Wordfence, a leading WordPress security company:
“Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.”
This serious WordPress security flaw was found by a researcher who goes by the alias ‘Phat RiO – BlueRock’. The flaw was reported to Wordfence on June 20, 2025, and after verifying its authenticity, Wordfence reached out to the plugin developers, WPMU DEV, on June 23.
The developer team quickly responded, and on June 30, they released a patched version—Forminator 1.44.3. This update introduces proper validation checks to make sure file deletions are limited only to files within the safe WordPress uploads directory.
The researcher was awarded a bug bounty of $8,100 for responsibly disclosing the issue.
Since the update was released, the patched version has already been downloaded over 200,000 times. However, it is currently unclear how many websites still run outdated versions of the plugin and are vulnerable to CVE-2025-6463.
At this time, no active attacks exploiting this vulnerability have been reported. But now that technical details are publicly available, attackers may act quickly to target unpatched sites.
If your WordPress site uses the Forminator plugin, act immediately to secure it:
Update the plugin to the latest version (1.44.3 or newer)
If an update is not immediately possible, disable the plugin temporarily
Review your form field settings and remove unnecessary file fields
Regularly monitor your site and enable a WordPress firewall (such as Wordfence)
This incident highlights how even popular and trusted plugins can introduce critical security risks if not regularly maintained or monitored. With WordPress powering over 43% of the web, vulnerabilities in widely-used plugins like Forminator can become a massive attack vector if left unpatched.
As always, WordPress administrators should:
Keep plugins and themes updated
Use a security plugin or WAF (Web Application Firewall)
Monitor vulnerability reports and apply patches as soon as possible
By taking prompt action, you can avoid being the next victim of a WordPress site takeover caused by CVE-2025-6463.
Interesting Article : CVE-2025-32463, Critical Sudo Vulnerability Put Linux Servers at Risk
Pingback: CISA Adds PHPMailer, Zimbra, and Rails Bugs to KEV Catalog Amid Active Exploitation