The vulnerability, assigned CVE-2025-6463 with a high CVSS rating of 8.8, allows unauthenticated attackers to delete critical system files, including wp-config.php, potentially leading to complete site takeover and remote code execution. The patch implements multiple security layers, including field type validation, restricting file deletion to only ‘upload’ and ‘signature’ field types, and implementing upload directory path restrictions using wp_normalize_path() and realpath() functions. When this file is removed, WordPress enters a setup state, allowing attackers to configure the site with a database under their control, effectively achieving complete site compromise. The security flaw stems from insufficient file path validation in the entry_delete_upload_files() function, which processes form submission deletions. Attackers can exploit this by submitting forms with crafted file path values such as ../../../wp-config.php or other critical system files. Malicious form submissions with arbitrary file paths delete specified files when submissions are removed by admins or auto-deletion. Forminator plugin has an arbitrary file deletion vulnerability (CVE-2025-6463, CVSS 8.8) allowing unauthenticated attacks. This allows attackers to submit file arrays in any form field, even those not designed to accept file uploads. Can delete wp-config.php, forcing the site into setup mode, enabling complete takeover and remote code execution. Forminator is a widely used WordPress form builder plugin that enables users to create contact forms, payment forms, quizzes, and polls through an intuitive drag-and-drop interface.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Jul 2025 10:25:14 +0000