When the admin deletes this or when the plugin auto-deletes old submissions (as configured), Forminator wipes the core WordPress file, forcing the website to enter a “setup” stage where it’s vulnerable to takeover. The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks. On June 30, the vendor released Forminator version 1.44.3, which adds a field type check and a file path validation that ensures deletions are limited to the WordPress uploads directory. At this time, there are no reports about active exploitation of CVE-2025-6463, but the public disclosure of the technical details combined with the ease of exploitation could lead to threat actors moving quickly to exploring its potential in attacks. The vulnerability stems from insufficient validation and sanitization of form field input and unsafe file deletion logic in the plugin’s backend code. When a user submits a form, the ‘save_entry_fields()’ function saves all field values, including file paths, without checking if those fields are supposed to handle files. “Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control,” explains Wordfence. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. It offers a flexible, visual drag‑and‑drop builder to help users create and embed a wide range of form-based content on WordPress sites. If you use Forminator for your website, it is recommended to update it to the latest version or deactivate the plugin until you can move to a safe version.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 02 Jul 2025 15:40:15 +0000