A serious vulnerability in the popular Forminator WordPress plugin has put a huge number of sites at risk. Security researchers disclosed a flaw that can allow arbitrary file deletion, which can quickly snowball into a full site takeover. The issue affects Forminator versions up to 1.44.2 and is tracked as CVE-2025-6463. With Forminator used broadly across WordPress, the exposure is significant, with reporting indicating as many as 600,000 sites could be impacted.
What makes this bug especially dangerous is that it can be triggered by unauthenticated users. In other words, an attacker may not need a login at all. The vulnerability involves how Forminator handles form submissions that include file-related data. Attackers can submit crafted input that includes arbitrary file paths hidden inside fields that look normal, such as a name field. The malicious paths are stored in the submission data, and later, when the submission is removed, those referenced files can be deleted from the server.
The catch is that the deletion occurs when the form entry is deleted, either by an administrator cleaning up submissions or by automated cleanup settings inside the plugin. That might sound like a hurdle, but it is not much of one in real-world use. Spam submissions and junk entries are frequently deleted as routine maintenance, which means attackers can effectively plant a “time bomb” in the database and wait for normal cleanup behavior to trigger the damage.
How the Forminator flaw enables file deletion and site takeover
At a technical level, the problem centers on weak validation in two places. First, the logic that saves form entries does not properly sanitize input, allowing unexpected “file array” structures to be smuggled into fields that should never contain file data. Second, the deletion logic fails to confirm that a referenced file is a legitimate upload. It does not adequately validate allowed field types, confirm safe extensions, or enforce that the path points only to the WordPress uploads directory.
This opens the door to deleting high-value files. A commonly cited target is wp-config.php, which contains database configuration and other core settings. If wp-config.php is deleted, WordPress can enter its setup flow. In that state, an attacker may be able to hijack the site by pointing it to a database they control, depending on the server environment and how the installation is exposed. That can lead to full compromise, including the possibility of remote code execution if the attacker can establish administrative control and pivot to additional actions.
The vulnerability was uncovered by security researcher Phat RiO, BlueRock and reported through the Wordfence Bug Bounty Program, which helped drive rapid vendor response and a clear remediation path.
Patch timeline and what WordPress site owners should do now
The plugin vendor, WPMU DEV, moved quickly once notified. After being contacted on June 23, 2025, the vendor registered with Wordfence’s vulnerability management process on June 25, received full disclosure, and released a fix within days. The patch, released in Forminator 1.44.3, adds stricter checks for allowed field types and limits file path handling to the WordPress uploads directory, closing off the most dangerous path traversal and deletion behavior.
If you run Forminator, the action item is straightforward: update to version 1.44.3 immediately. This applies even if you think your forms are simple or rarely used. The risk is tied to the plugin’s handling of submissions, not a specific form configuration.
After updating, it’s also smart to review recent submissions and deletion settings. If your site auto-deletes entries after a set period, confirm those settings are intentional. Finally, monitor your site for unexpected behavior, such as WordPress suddenly displaying the setup screen, missing configuration files, or unexplained changes in database connectivity. Fast patching is the best defense here, because once attackers know a vulnerability exists, automated scanning and exploitation tend to follow quickly.
