Overview
The Common Vulnerabilities and Exposures (CVE) system has recently identified a serious security vulnerability dubbed CVE-2025-6463. This flaw lies within the Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress and affects all versions up to, and including, 1.44.2. This vulnerability poses a significant threat to WordPress websites running the Forminator Forms plugin, as it allows unauthenticated attackers to trigger arbitrary file deletion, potentially leading to system compromise or data leakage.
Given the severity of the potential impact, it is crucial that administrators and developers using this plugin understand the nature of this vulnerability, its workings, and how to mitigate it effectively.
Vulnerability Summary
CVE ID: CVE-2025-6463
Severity: High (8.8 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Arbitrary file deletion potentially leading to remote code execution and system compromise
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Forminator Forms – Contact Form, Payment Form & Custom Form Builder Plugin for WordPress | Up to and including 1.44.2
How the Exploit Works
The vulnerability lies in the ‘entry_delete_upload_files’ function of the Forminator Forms plugin. Due to insufficient file path validation, an unauthenticated attacker can include arbitrary file paths in a form submission. When the form submission is deleted-either manually by an Administrator or automatically via the plugin’s settings-the file specified in the arbitrary path will also be deleted.
This exploit can lead to remote code execution if a critical file-such as wp-config.php-is deleted. This file deletion can disrupt the normal operation of the WordPress site and potentially grant the attacker access to sensitive information, leading to system compromise or data leakage.
Conceptual Example Code
Below is a hypothetical example of an HTTP request that could exploit this vulnerability.
POST /forminator_forms/submit_form HTTP/1.1
Host: victim-website.com
Content-Type: multipart/form-data
{
"form_id": "123",
"field_id": "file_upload_field",
"file_path": "/absolute/path/to/wp-config.php"
}In this example, the attacker uses the POST method to submit a form with an arbitrary file path pointing to the wp-config.php file. When the form is deleted, the wp-config.php file will also be deleted, potentially leading to remote code execution.
Mitigation Guidance
To mitigate this vulnerability, users are advised to apply the vendor-supplied patch immediately. In cases where this is not possible, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as a temporary measure to monitor and block malicious activity. In all cases, regular monitoring and updating of all WordPress plugins and core files is recommended to prevent future vulnerabilities.