Critical Vulnerability in WordPress Plugin Forminator Threatens 400,000+ Websites

Red Dog Security

2 min read
Critical Vulnerability in WordPress Plugin Forminator Threatens 400,000+ Websites

A severe vulnerability has been discovered in the popular WordPress plugin Forminator, enabling attackers to delete arbitrary files from a site’s server—potentially resulting in a full site takeover. The flaw affects all versions up to 1.44.2 and places hundreds of thousands of websites at immediate risk.

Key Details

  • CVE ID: CVE-2025-6463
  • CVSS Score: 8.8 (High)
  • Affected Versions: All versions ≤ 1.44.2
  • Discovery Date: Reported June 20, 2025
  • Discovered By: Phat RiO of BlueRock, reported via Wordfence
  • Bug Bounty Awarded: $8,100
  • Active Installations: 600,000+
  • Estimated Sites Still at Risk: ~400,000 (based on update stats)

What Is Forminator?

Developed by WPMU DEV, Forminator is a widely used drag-and-drop form builder for WordPress. It enables site admins to easily create:

✔ Payment and donation forms
✔ Contact and registration forms
✔ Quizzes and polls
✔ Surveys and feedback tools

Its ease of use and versatility have made it a go-to plugin for both small businesses and large content-driven sites.

The Vulnerability Explained

The issue lies in insufficient input validation and unsafe file deletion logic within Forminator’s backend.

How the Attack Works:

Step 1: Malicious Payload Injection

  • An attacker submits a form containing a crafted file path (e.g., /var/www/html/wp-config.php) in a form field.
  • Forminator saves the value without validating it as a safe input.

Step 2: Triggering File Deletion

  • If an admin manually deletes the form entry—or if auto-cleanup is enabled—Forminator attempts to remove the file at the saved path.
  • If wp-config.php is deleted, the WordPress installation enters setup mode, allowing the attacker to connect to a malicious database and take over the site.

This attack does not require authentication and can be launched remotely with minimal effort.

Patch Released: v1.44.3

On June 30, 2025, WPMU DEV issued a security update that:

Restricts file deletions to WordPress’ uploads directory
Adds input validation on field types to block malicious file paths

As of today, 200,000+ sites have updated, but an unknown number remain unpatched—leaving them vulnerable to exploitation.

Urgent Recommendations

Update Forminator to version 1.44.3 immediately
If unable to patch, temporarily disable the plugin until secure

Additionally:

✔ Audit your site’s file system for unauthorized changes
✔ Monitor form submissions for suspicious field values
✔ Enable server-side file integrity monitoring if available

Why This Matters

This flaw highlights the outsized risk posed by seemingly harmless plugins. A single vulnerable form submission could result in the deletion of critical site files, leaving the door wide open for full compromise.

Even more concerning, the attack chain does not require credentials, making it highly attractive to opportunistic threat actors.

“This is the kind of vulnerability attackers love—low complexity, high impact, and broad exposure,” noted Wordfence researchers.

Additional Notes

  • Wordfence began blocking known exploit attempts on June 25.
  • No widespread exploitation has been reported—yet.
  • Given the simplicity of the attack and public disclosure, mass scanning is likely imminent.

Website admins and developers should act now. Delays in patching could expose sites to catastrophic loss or compromise.

Stay tuned for updates as the situation develops.

Read more