Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover
securityweek
A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites.
A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated in a function used to delete a form submission’s uploaded files.
According to WordPress security firm Defiant, the function that Forminator uses to save form entry fields to the database does not perform proper sanitization of the values in the field, which allows attackers to submit file arrays in the form’s fields.
Furthermore, the function responsible for deleting the files submitted through the form, when deleting the form, lacks the necessary checks for ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE