A critical vulnerability in the Forminator plugin, one of the most popular form-building plugins in WordPress, allows unauthenticated attackers to delete arbitrary files on the server, including the sensitive wp-config.php file. This can lead to complete site takeover, making it one of the most severe plugin vulnerabilities of the year.
The vulnerability was responsibly disclosed via the Wordfence Bug Bounty Program and tracked under CVE-2025-6463. Despite a patch being released on June 30, 2025, data suggests that over 400,000 WordPress sites remain vulnerable.
Key Details
- Severity: 8.8 (High)
- Exploitation Status: Public PoC and active risk
- Affected Product: Forminator – Contact Form, Payment Form & Custom Form Builder
- Active Installations: 600,000+
- Patched Version: 1.44.3
Technical Overview
Vurnelable function:
entry_delete_upload_files() in class-form-entry-model.php
Root cause:
The plugin failed to validate file paths and field types when deleting uploaded files associated with a form submission.
Attackers can inject arbitrary file paths in form fields, even in fields not meant for file uploads.
When the form submission is deleted (manually or via auto-deletion settings), these files are permanently deleted from the server.
Why it’s dangerous
Attackers can target critical files like:
- wp-config.php – leads to site reset and full takeover
- .htaccess, plugin files, or database configs – can break or expose the site
Attack Scenarios
1. wp-config.php Deletion
- The attacker crafts a submission with a forged file path.
- When the form is deleted (e.g., marked as spam), the plugin deletes wp-config.php.
- The site enters setup mode, allowing attackers to connect it to a malicious database.
2. Stealth Attack via Spam Forms
- Spammed entries lead to auto-deletion.
- The exploit is triggered passively, without needing to breach authentication or admin accounts
Patch Details
The vendor (WPMU DEV) released version 1.44.3 on June 30, 2025.
The patch adds file type restriction, so only files from upload or signature fields can be deleted, along with directory validation to ensure deletions are confined to the WordPress uploads folder, effectively blocking attackers from targeting critical system files like wp-config.php.
File name sanitization was also implemented in the patch, which prevents bypass using encoded/obfuscated filenames.
Remediation
Worpdress site owners and admins with the Forminator plugin installed are urged to update to the latest version immediately, which at the time of this writing is 1.44.3.
For long term security, organizations should implement regular plugin audits, enable automatic updates for critical components, restrict file permissions on sensitive configuration files like wp-config.php, and deploy a web application firewall (WAF) to detect and block malicious form submissions before they reach the server.
Stay Safe, Stay Secure
OP Innovate Research Team
