The widely used Forminator plugin for WordPress has been found to have a serious vulnerability that could allow attackers to take control of websites running the plugin. Tracked as CVE-2025-6463, the flaw enables unauthenticated arbitrary file deletions, which can result in complete site takeovers.
The Forminator plugin, developed by WPMU DEV, boasts over 600,000 active installations, making this issue particularly concerning for many site owners. The vulnerability arises from inadequate validation and sanitization of form fields in the plugin’s backend, allowing attackers to exploit file paths during form submissions. When a crafted file path is saved, it can lead to critical files being deleted, including important WordPress configuration files.
According to security researchers from Wordfence, deleting essential files such as ‘wp-config.php’ can force the affected site into a vulnerable state, enabling attackers to connect it to a malicious database. This was detailed in a report on the Wordfence blog, which highlights the critical nature of the flaw and underscores the urgency for users to act.
The issue was discovered by security researcher Phat RiO – BlueRock, who reported it to Wordfence in June. Following the report, WPMU DEV took immediate steps to address the flaw, releasing a patched version of the plugin on June 30. Users are strongly advised to update to Forminator version 1.44.3 or temporarily deactivate the plugin until their sites are secured against potential exploitation.
Currently, there are no confirmed cases of the vulnerability being actively exploited, but as the technical details of CVE-2025-6463 are now public, there is a heightened risk that threat actors may soon attempt to leverage this flaw. Site administrators should be vigilant and ensure that their plugins are regularly updated to mitigate risk.