How many WordPress sites are affected by the Forminator vulnerability?

More than 600,000 active WordPress installations using the Forminator plugin are potentially affected by this critical security vulnerability.

What makes this Forminator vulnerability particularly dangerous?

This vulnerability is particularly dangerous because it can be exploited by unauthenticated attackers, affects over 600,000 installations, and can lead to complete site takeover by allowing attackers to delete critical WordPress files like wp-config.php and essentially hijack the website.

What is the CVSS score for the Forminator vulnerability?

The Forminator vulnerability CVE-2025-6463 has a CVSS score of 8.8, which is classified as high severity, reflecting the significant risk it poses to affected WordPress installations.

Can this Forminator vulnerability be exploited without authentication?

Yes, this is an unauthenticated vulnerability, meaning attackers do not need to log in or have any special access to the WordPress site to exploit it. They can craft malicious form submissions from anywhere on the internet.

What is the Wordfence Bug Bounty Program's highest award?

The researcher who discovered the Forminator vulnerability received $8,100, which is the highest award in the Wordfence Bug Bounty Program's history, reflecting the severity and potential impact of this vulnerability.

What should site owners look for in their logs after this Forminator vulnerability disclosure?

Website administrators should check their submission logs for suspicious activity, particularly looking for form submissions that contain unusual file paths or attempts to target system files like wp-config.php or other critical WordPress files.

What type of form fields can be exploited in this Forminator vulnerability?

Attackers can craft malicious form submissions containing arbitrary file paths in any form field, even those not intended for file uploads. This makes the vulnerability particularly dangerous as it can be exploited through any form created with the Forminator plugin.

Who develops the Forminator WordPress plugin?

The Forminator plugin is developed by the WPMU DEV team, who promptly released a security patch (version 1.44.3) on June 30, 2025, to address this critical vulnerability.

Advisory

WordPress Plugin flaw exposes over 600,000 websites to potential remote takeover

Q: What is the Forminator WordPress plugin vulnerability?

A security vulnerability tracked as CVE-2025-6463 with a CVSS score of 8.8 has been discovered in the Forminator WordPress plugin, exposing more than 600,000 active installations to potential takeover. The vulnerability stems from insufficient file path validation in the plugin's entry_delete_upload_files() function.

Q: How does the Forminator vulnerability work technically?

The vulnerability allows unauthenticated attackers to craft malicious form submissions containing arbitrary file paths in any form field. When these submissions are subsequently deleted, the plugin attempts to remove the files specified in the malicious paths without validating whether these files should be deleted or restricting deletion to appropriate upload directories.

Q: What can attackers do with this Forminator vulnerability?

Attackers can target critical WordPress files, particularly the wp-config.php file. Deleting this file forces the WordPress installation into setup mode, effectively allowing attackers to connect the site to a database under their control and load up a completely malicious site on the legitimate domain URL.

Q: What is the specific function affected in the Forminator plugin?

The vulnerability is in the entry_delete_upload_files() function within the Forminator_Form_Entry_Model class. This function is designed to clean up uploaded files when form submissions are deleted, either manually by administrators or automatically through plugin settings.

Q: Has the Forminator vulnerability been patched?

Yes, the WPMU DEV team, developers of the Forminator plugin, released a patched version 1.44.3 on June 30, 2025, which addresses this critical security vulnerability.

published: July 2, 2025

Take action: If you're using the Forminator WordPress plugin, immediately update to version 1.44.3 or later. Your WordPress site is exposed to the internet by design, so attackers will find it very quickly. Don't delay, updating a plugin in WordPress is quite easy. Then check your form submission logs for any suspicious entries that might indicate your site was already targeted.

Learn More

A security vulnerability has been discovered in the Forminator WordPress plugin, exposing more than 600,000 active installations to potential takeover.

The vulnerability is tracked as CVE-2025-6463 (CVSS score 8.8). It stems from insufficient file path validation in the plugin's entry_delete_upload_files() function within the Forminator_Form_Entry_Model class. This function is designed to clean up uploaded files when form submissions are deleted, either manually by administrators or automatically through plugin settings.

The flaw allows unauthenticated attackers to craft malicious form submissions containing arbitrary file paths in any form field, even those not intended for file uploads. When these submissions are subsequently deleted, the plugin attempts to remove the files specified in the malicious paths without validating whether these files should be deleted or restricting deletion to the appropriate upload directories.

Attackers are able to target critical WordPress files, particularly the wp-config.php file. Deleting it forces the WordPress installation into setup mode, effectively allowing attackers to connect the site to a database under their control and load up a completely malicious site on the legitimate domain URL.

Security researcher Phat RiO – BlueRock discovered this vulnerability and reported it responsibly through the Wordfence Bug Bounty Program, earning a record-breaking bounty of $8,100 - the highest award in the program's history.

The WPMU DEV team, developers of the Forminator plugin released a patched version 1.44.3 on June 30, 2025.

Website administrators should immediately update their Forminator plugin to version 1.44.3 or later and check submission logs for suspicious activity.

WordPress Plugin flaw exposes over 600,000 websites to potential remote takeover

Read More
Craft CMS zero-Day vulnerabilities actively exploited
Critical flaw in Service Finder WordPress Theme actively …
Critical SQL injection flaw identified in a Facebook …
ShowDoc Document Management Platform Targeted by Active RCE …
Critical flaws reported in WordPress Anti-Spam plugin by …