Arbitrary File Deletion in Forminator Forms Plugin for WordPress
CVE-2025-6463

8.8HIGH

Key Information:

Vendor

WordPress
Status
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendor
CVE Published:
2 July 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-6463?

The Forminator Forms plugin for WordPress has a security flaw that allows unauthenticated attackers to exploit insufficient file path validation in the 'entry_delete_upload_files' function. This vulnerability enables them to craft malicious form submissions that include arbitrary file paths, leading to deletion of important files such as configuration files. When these files are deleted, it opens avenues for further attacks like remote code execution, posing serious risks to the integrity and security of WordPress installations.

Affected Version(s)

Forminator Forms – Contact Form, Payment Form & Custom Form Builder * <= 1.44.2

News Articles

favicon imageBleepingComputer

Forminator plugin flaw exposes WordPress sites to takeover attacks

The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks.

11 hours ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/forminator/tru...
https://plugins.trac.wordpress.org/changeset/3319860/form...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Tan Phat
.
CVE-2025-6463 : Arbitrary File Deletion in Forminator Forms Plugin for WordPress