8.8 out of 10: Critical vulnerability threatens hundreds of thousands of WordPress sites
CVE-2025-6463 allows hackers to hijack your site right under your nose.
A serious vulnerability has been discovered in the popular WordPress plugin Forminator, which allows unauthorized attackers to delete arbitrary files on the site. This issue can potentially lead to a complete takeover of the resource. It has been assigned the identifier CVE-2025-6463 and is classified as critical, with a CVSS score of 8.8.
Forminator Forms is developed by WPMU DEV. The plugin offers a flexible visual builder that allows site owners to create various forms and embed them on pages without the need for programming. According to official statistics from WordPress.org, Forminator is currently active on over 600,000 sites worldwide.
The vulnerability lies in insufficient validation and sanitization of incoming form data, as well as in the insecure logic for file deletion within the plugin’s server-side code. The problematic section of code is related to the function "save_entry_fields()", which saves the values of all form fields, including file paths, without checking if a specific field is intended for file handling.
This behavior can be exploited by attackers who insert a specially crafted data array into any text field in the form, simulating an uploaded file. In such an array, the path to a critical site file, such as the WordPress configuration file — "/var/www/html/wp-config.php", can be specified. If the administrator then deletes this field or if the automatic deletion of old records is triggered (as per the plugin's settings), the system will physically delete the specified file.
Deleting the WordPress configuration file causes the site to enter the initial installation mode. At this point, the attacker can connect the resource to their database, thereby gaining full control of the site.
As explained by the security team at Wordfence, this mechanism makes the vulnerability extremely dangerous. Experts emphasize that successful exploitation doesn’t just damage files; it creates a situation where the site is fully exposed for takeover.
The danger was discovered by a researcher under the pseudonym Phat RiO from BlueRock, who reported it to Wordfence on June 20. He was rewarded $8,100 for providing information about the vulnerability. After an internal review, Wordfence contacted the plugin developer, WPMU DEV, on June 23. The company confirmed the issue and began working on a fix.
On June 30, a new version of Forminator was released (version 1.44.3). It added field type checks and validation for file paths, which eliminates the possibility of deleting anything outside of the WordPress upload directory.
Since the release of the update, the plugin has been downloaded over 200,000 times. However, the exact number of sites that remain vulnerable to CVE-2025-6463 is still unknown.
Users of Forminator are strongly advised to update the plugin to the latest version as soon as possible or temporarily deactivate it until a secure version is installed. At present, there have been no reports of active exploitation of the vulnerability by attackers. However, the disclosure of technical details of the flaw and its relative ease of exploitation increase the likelihood that attacks will begin in the near future.
