CVE-2025-6463: Unauthenticated Arbitrary File Deletion in Forminator Plugin Exposes Over 600,000 WordPress Sites to Remote Takeover

A newly disclosed high-severity vulnerability in the popular Forminator plugin threatens the security of hundreds of thousands of WordPress websites. Tracked as CVE-2025-6463, this arbitrary file deletion vulnerability carries a CVSS score of 8.8 and could allow unauthenticated attackers to delete critical server files—ultimately leading to full site compromise.

According to Wordfence, the vulnerability affects Forminator Forms – Contact Form, Payment Form & Custom Form Builder, which has over 600,000 active installations. The flaw exists in versions up to and including 1.44.2, and has been patched in version 1.44.3.

“This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted,” Wordfence explains. “It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution.”

The flaw was responsibly reported by security researcher Phat RiO – BlueRock via the Wordfence Bug Bounty Program, earning a bounty of $8,100 for the discovery.

The issue stems from insufficient validation of file paths passed during form submissions. The vulnerable function, entry_delete_upload_files(), trusts user-supplied values without checking file types, field context, or upload location.

The function is triggered when form submissions are deleted, either manually by an admin or automatically based on plugin settings. Wordfence warns:

“This makes the vulnerability exploitable on any instance with an active form… users can supply a file array in any form submission field, even when the field should not accept files.”

As a result, attackers can craft submissions that reference arbitrary files on the server. Once the form is deleted—perhaps appearing as spam and removed automatically—the referenced file is also deleted. If that file is wp-config.php, the consequences are dire.

“Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.”

What makes CVE-2025-6463 especially dangerous is its simplicity. No authentication is required, and the attack vector only requires form submission—which can be trivial to automate. By submitting a fake or spam-like form and waiting for it to be deleted (by human or system), attackers can trigger the vulnerability.

Wordfence emphasizes:

“We believe that form submission deletion, especially if created to appear spammy, is a very likely situation to occur—making this vulnerability a prime target for attackers.”

Admins are strongly urged to immediately update Forminator to version 1.44.3 or higher. Additionally, site owners should:

• Review auto-deletion and spam filtering settings in the plugin;
• Monitor for suspicious form submissions;
• Audit file system changes for unexpected deletions;
• Consider enabling WAF (Web Application Firewall) protection.

Related Posts:

• Critical Vulnerabilities in Popular Forminator WordPress Plugin Put Hundreds of Thousands of Websites at Risk
• Apple App Store Blocks $2 Billion in Fraud in 2024 Alone
• CVE-2023-4596: Critical WordPress plugin Forminator flaw affects over 400k sites
• Google Bug Bounty Program Expands to Chrome V8 and Google Cloud