A critical vulnerability in the Forminator WordPress plugin has exposed more than 600,000 websites to potential full-site takeover attacks. The flaw, tracked as CVE-2025-6463, has been assigned a high CVSS score of 8.8 and affects all Forminator versions up to 1.44.2.
How the Vulnerability Works
Forminator is a popular form builder plugin created by WPMU DEV, known for its drag-and-drop interface used to design and embed forms, quizzes, polls, and calculators. However, the recent discovery of a logic flaw in the way it handles form submissions has left a large number of sites vulnerable.
The vulnerability stems from how the plugin’s backend function save_entry_fields() processes user input. It accepts all field types — even text inputs — as potential file fields, without checking their actual type or validating the path.
This oversight enables attackers to insert a fake file array into any form field. By pointing it to a sensitive file like wp-config.php, attackers can abuse the plugin’s auto-deletion mechanism to erase that file when a submission is purged — either manually by the admin or automatically.
“Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control,” Wordfence explained in its disclosure.
This behavior could be triggered remotely by simply submitting a form, requiring no authentication, which significantly raises the threat level.
Discovery, Disclosure, and Patch Timeline
The flaw was discovered on June 20, 2025, by a security researcher known as Phat RiO – BlueRock, who reported it to Wordfence. The researcher was awarded an $8,100 bug bounty.
Three days later, Wordfence responsibly disclosed the issue to WPMU DEV, the plugin’s developer. A patch was released on June 30 with Forminator version 1.44.3, which includes proper field-type validation and limits deletions to the safe WordPress uploads directory.
While over 200,000 downloads of the patched version have occurred since release, the number of sites still running vulnerable versions remains unknown.
No Exploits Yet—But the Window Is Narrowing
Although there are currently no known cases of in-the-wild exploitation, the combination of public disclosure and ease of use makes CVE-2025-6463 an attractive target for opportunistic attackers. Enterprises running WordPress — particularly those using Forminator — should act immediately.
If the plugin is active on your website:
- Update to version 1.44.3 or later
- Or deactivate the plugin if an update cannot be applied right away
Neglecting to patch this issue can lead to full compromise of WordPress sites — a risk that can be devastating for businesses relying on digital presence for customer operations or brand trust.
Why Secure Recovery Systems Matter
Attacks like this highlight how vulnerable even well-maintained websites can be to unexpected flaws in third-party plugins. In the event of a breach or site takeover, rapid recovery becomes just as important as prevention. Enterprises must be equipped with secure, immutable backup systems to restore operations quickly and eliminate downtime.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
