Forminator Plugin Flaw Puts WordPress Sites at Risk

A serious vulnerability has been found in the popular Forminator plugin used on WordPress websites. This flaw could let attackers take full control of affected websites. The issue is tracked as CVE-2025-6463 and has a high severity score of 8.8 out of 10. It affects all versions of the plugin up to 1.44.2.

Forminator, made by WPMU DEV, is a drag-and-drop form builder that helps users create forms for their websites. According to WordPress.org, it is active on more than 600,000 websites.

The vulnerability happens because the plugin does not properly check and clean the data entered into forms. It also has unsafe file deletion logic in the backend code.

When someone submits a form, the plugin saves all field data, even if it includes file paths. An attacker can use this to trick the system into deleting important files, like wp-config.php, which is critical for running a WordPress site.

Once this file is deleted, the site goes into “setup mode,” making it easy for an attacker to take over the website by connecting it to their own database.

The flaw was discovered by a researcher named Phat RiO – BlueRock, who reported through the Wordfence Bug Bounty Program on June 20. Wordfence confirmed the issue and informed WPMU DEV on June 23. The company responded quickly and released a fix on June 30.

The new version, Forminator 1.44.3, includes a check that prevents the deletion of important files outside the WordPress uploads folder.

So far, there are no reports of active attacks using this vulnerability. But now that the details are public, hackers could try to exploit them soon. If you use the Forminator plugin, update it immediately to version 1.44.3 or higher. If you cannot update right now, deactivate the plugin to stay safe.