A vulnerability in the Forminator WordPress plugin allows attackers to delete arbitrary files and take over impacted websites.
July 2, 2025 By Ionut Arghire
A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites.
A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated in a function used to delete a form submission’s uploaded files.
According to WordPress security firm Defiant, the function that Forminator uses to save form entry fields to the database does not perform proper sanitization of the values in the field, which allows attackers to submit file arrays in the form’s fields.