CVE-2025-6463
📋 TL;DR
The Forminator WordPress plugin has a critical vulnerability that allows unauthenticated attackers to delete arbitrary files on the server by manipulating form submissions. This affects all versions up to 1.44.2 and can lead to complete site compromise if critical files like wp-config.php are deleted. WordPress administrators using vulnerable versions are at immediate risk.
💻 Affected Systems
- Forminator Forms – Contact Form, Payment Form & Custom Form Builder for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover via remote code execution by deleting wp-config.php or other critical files, potentially leading to data theft, defacement, or malware installation.
Likely Case
Site disruption or downtime through deletion of important files, potentially requiring full restoration from backups.
If Mitigated
Limited impact if proper file permissions and web application firewalls block malicious requests.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability without authentication. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.44.3 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3319860/forminator#file3
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Forminator plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.44.3+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Forminator Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate forminator
Web Application Firewall Rule
allBlock requests to vulnerable entry_delete_upload_files function
Add WAF rule to block POST requests containing 'entry_delete_upload_files' in parameters
🧯 If You Can't Patch
- Implement strict file permissions (wp-config.php should be 400 or 440)
- Deploy web application firewall with rules blocking file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Forminator → Version. If version is 1.44.2 or lower, system is vulnerable.Check Version:
wp plugin get forminator --field=versionVerify Fix Applied:
Verify Forminator plugin version is 1.44.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with 'action=forminator_delete_uploaded_file' or similar patterns
- File deletion events in web server logs for unexpected paths
Network Indicators:
- Unusual POST requests to WordPress admin endpoints from unauthenticated sources
- Patterns of file path traversal in request parameters
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND (post_data="*entry_delete_upload_files*" OR post_data="*forminator_delete_uploaded_file*"))