A newly disclosed vulnerability, tracked as CVE-2025-6463, has put over 600,000 WordPress sites at immediate risk.
The flaw, rated 8.8 (High) on the CVSS scale, affects the popular Forminator Forms – Contact Form, Payment Form, and Custom Form Builder plugin in all versions up to and including 1.4.2.12.
The vulnerability allows unauthenticated attackers to delete arbitrary files on the server by exploiting insufficient validation in the plugin’s core file handling logic.
The root cause lies in the entry_delete_upload_files() function, which failed to properly restrict file deletions to legitimate upload fields and the designated WordPress uploads directory.
Attackers can craft malicious form submissions that specify the path to any server file, most dangerously, wp-config.php.
If this critical configuration file is deleted, WordPress enters setup mode, allowing the attacker to connect the site to a database under their control, leading to complete site takeover.
Technical Breakdown:
The vulnerability is triggered when a form submission—containing a malicious file path—is deleted, either manually by an administrator or automatically by plugin settings.
The plugin’s logic did not check whether the field was intended for file uploads or whether the file path was within the allowed directory.
As a result, even non-upload fields could be abused to reference sensitive files.
Key technical issues:
- Field Type Validation: Missing; any field could trigger file deletion.
- Path Restriction: Missing; files outside the uploads directory could be deleted.
- No Authentication Required: Attackers need only submit a form, making automation trivial.
Example attack flow:
- Attacker submits a form with a malicious file path (e.g.,
/var/www/html/wp-config.php). - The submission is deleted (by admin or auto-deletion).
- The plugin deletes the referenced file, potentially crippling or compromising the site.
Vulnerable Code Snippet (pre-patch):
phppublic static function entry_delete_upload_files( $form_id, $entry_model ) {
foreach ( $entry_model->meta_data as $meta_data ) {
$meta_value = $meta_data['value'];
if ( is_array( $meta_value ) && isset( $meta_value['file'] ) ) {
$file_path = is_array( $meta_value['file']['file_path'] ) ? $meta_value['file']['file_path'] : array( $meta_value['file']['file_path'] );
foreach ( $file_path as $path ) {
if ( ! empty( $path ) && file_exists( $path ) ) {
wp_delete_file( $path );
}
}
}
}
}
This code trusted user-supplied values without type or path checks, enabling the exploit.
Patch, Response, and Immediate Actions for Administrators
The vulnerability was responsibly disclosed by security researcher Phat RiO – BlueRock through the Wordfence Bug Bounty Program, earning an $8,100 bounty—the highest in the program’s history.
The vendor, WPMU DEV, patched the flaw in version 1.44.3 by:
- Restricting deletions to fields of type ‘upload’ or ‘signature’
- Limiting file deletions to the WordPress uploads directory
- Sanitizing file names and normalizing paths for additional security
Immediate steps for site administrators:
- Update Forminator to version 1.44.3 or later immediately
- Verify the integrity of critical files like
wp-config.php - Review form submissions for suspicious entries
- Enable Web Application Firewall (WAF) protection, such as Wordfence
Failure to act leaves sites exposed to remote code execution and total compromise.
This incident underscores the necessity of rigorous input validation, prompt patching, and proactive security monitoring in all WordPress environments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, rated 8.8 (High) on the CVSS scale, affects the popular Forminator Forms – Contact Form, Payment Form){kind=link}