A severe arbitrary file deletion vulnerability has been discovered in the popular Forminator WordPress plugin, affecting many websites. This critical security flaw impacts over 600,000 active installations of the form-building plugin on websites worldwide. The vulnerability is tracked as CVE-2025-6463 and has received a high CVSS rating of 8.8 from researchers. It allows unauthenticated attackers to delete critical system files, including the essential wp-config.php WordPress configuration file. This could potentially lead to a complete site takeover by a malicious actor and also remote code execution. The security researcher Phat RiO – BlueRock discovered and responsibly disclosed this significant flaw to the plugin developers.
The vulnerability was first reported on June 20, 2025, affecting all Forminator versions up to and including 1.44.2.
The security flaw stems from insufficient file path validation in the plugin’s entry_delete_upload_files() function. This specific function is responsible for processing the deletion of form submissions that have been created by website visitors. What makes this vulnerability particularly dangerous is its high potential for completely unauthenticated remote exploitation by attackers. Attackers can craft malicious form submissions containing arbitrary file paths to exploit this very serious security flaw.
When these submissions are deleted, the specified files are permanently removed from the website’s hosting server.
The most critical attack scenario involves deleting the wp-config.php file, which contains important database credentials. When this configuration file is removed, WordPress enters a setup state, allowing attackers to take full control. An attacker can then configure the site with a database under their control, achieving complete site compromise. The core technical issue lies in the entry_delete_upload_files() function’s lack of any proper security checks. The vulnerable code processes all metadata values that match a file array structure without verifying field types. Attackers can exploit this by submitting forms with crafted file path values to delete any server file.
WPMU DEV, the plugin developer, responded promptly to the vulnerability disclosure and released a comprehensive security patch. The new patch was released in version 1.44.3 on June 30, 2025, to address the critical vulnerability. The security patch implements multiple layers, including field type validation and restricting file deletion to upload fields. The patched code now includes validation to ensure file paths remain within the WordPress uploads directory. This important change effectively prevents any directory traversal attacks from being successful against the website. All WordPress administrators are strongly urged to update to version 1.44.3 immediately to prevent potential exploitation.
Reference:
