CVE-2025-6463: 
WordPress vulnerability analysis and mitigation

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress contains a critical vulnerability (CVE-2025-6463) affecting versions up to and including 1.44.2. The vulnerability was discovered in July 2025 and allows unauthenticated attackers to perform arbitrary file deletion due to insufficient file path validation in the 'entrydeleteupload_files' function. This vulnerability impacts over 600,000 active WordPress installations (SecurityOnline, NVD).

The vulnerability exists in the form submission deletion process where attackers can specify arbitrary file paths. When a form submission is deleted, either manually by an administrator or automatically through plugin settings, the referenced files are also deleted without proper validation. The vulnerability has been assigned a CVSS score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to remote code execution if critical files like wp-config.php are deleted. When wp-config.php is deleted, the site enters a setup state, allowing attackers to initiate a site takeover by connecting it to a database under their control. The vulnerability affects over 600,000 WordPress websites and requires no authentication to exploit (SecurityOnline).

The vulnerability has been patched in version 1.44.3. Site administrators are strongly advised to immediately update to this version or later. Additional recommended security measures include reviewing auto-deletion and spam filtering settings in the plugin, monitoring for suspicious form submissions, and enabling Web Application Firewall (WAF) protection (SecurityOnline).

The vulnerability was responsibly reported by security researcher Phat RiO – BlueRock through the Wordfence Bug Bounty Program, earning a bounty of $8,100 for the discovery (SecurityOnline).