Cybersecurity researchers have identified a severe vulnerability in the widely-used Forminator WordPress plugin that could lead to complete website compromise. The security flaw, designated as CVE-2025-6463 (CVSS 8.8), affects over 600,000 active installations. The bug was reported to Wordfence by researcher Phat RiO – BlueRock, who received a $8,100 bounty for the discovery.
Understanding the CVE-2025-6463 Vulnerability
The vulnerability was discovered by security researcher Phat RiO – BlueRock, who reported the issue to the Wordfence team on June 20, 2025. The researcher received a substantial $8,100 bounty for identifying this critical security flaw, highlighting the severity of the discovery.
The core issue stems from insufficient input validation and unsafe file handling logic within the plugin’s backend code. Specifically, the save_entry_fields() function stores all form field values, including file paths, without proper field type verification or file path validation. This fundamental oversight creates a dangerous attack vector that malicious actors can exploit.
Attack Methodology and Exploitation Process
The vulnerability enables attackers to execute a sophisticated two-stage attack that can completely compromise WordPress installations. Understanding this attack methodology is crucial for comprehending the threat’s severity.
During the initial phase, attackers inject specially crafted data arrays into any form field, including standard text fields. They can simulate uploaded files with arbitrary paths, targeting critical system files such as /var/www/html/wp-config.php. This manipulation exploits the plugin’s failure to distinguish between legitimate file uploads and malicious path injections.
The second phase triggers when administrators manually delete form entries or when automatic cleanup processes remove old entries. At this point, the Forminator plugin attempts to delete the specified files, including critical system files, effectively destroying essential WordPress configuration data and forcing the site into setup mode.
Devastating Impact on WordPress Security
The consequences of successful exploitation are catastrophic for WordPress website security. As Wordfence experts explain, “Deleting wp-config.php puts the site into setup mode, allowing attackers to initiate site takeover by connecting it to a database under their control.”
This attack scenario grants attackers complete administrative control over the targeted website, including access to sensitive user data, the ability to install malicious code, and the potential to use the compromised site as a launching point for additional attacks. The implications extend beyond individual site compromise, potentially affecting entire hosting environments and user networks.
Forminator Plugin Overview and Widespread Usage
Developed by WPMU DEV, Forminator serves as a comprehensive form builder for WordPress websites. The plugin enables users to create payment forms, contact forms, surveys, quizzes, and questionnaires using an intuitive drag-and-drop interface. Its popularity stems from its versatility and ease of use, making it a preferred choice for many WordPress administrators.
According to WordPress.org statistics, Forminator maintains an active installation base of approximately 600,000 websites, making this vulnerability particularly concerning for the broader WordPress ecosystem. The extensive user base amplifies the potential impact of this security flaw.
Security Patch and Remediation Efforts
The development team responded promptly to the vulnerability disclosure, releasing version 1.44.3 on June 30, which addresses the security flaw through enhanced field type validation and file path verification. The update restricts file deletion operations to the WordPress uploads directory, preventing attacks on critical system files.
Since the patch release, the plugin has been downloaded approximately 200,000 times, though the exact number of vulnerable installations remains unknown. The vulnerability affects all Forminator versions up to and including 1.44.2.
Sites running Forminator 1.44.2 or older
All websites running Forminator versions up to and including 1.44.2 are vulnerable — approximately 600,000 active WordPress installations. Sites that allow untrusted users or customers to submit forms (contact forms, surveys, quizzes) are at highest risk, as exploitation requires only the ability to submit form data.
Patching Forminator and checking for prior exploitation
- Update Forminator to version 1.44.3 or later immediately via the WordPress dashboard (Plugins → Updates).
- If immediate update is not possible, temporarily deactivate Forminator until the patch is applied.
- Check recent form submissions for suspicious file path entries (e.g., paths containing
wp-config.phpor/var/www/html) that may indicate prior exploitation attempts. - Consider deploying a WordPress security plugin or WAF (Wordfence, Sucuri) to monitor for unusual form submission patterns.
