Over 600K WordPress Sites at Risk Due to Critical Plugin Vulnerability
gbhackersA critical security flaw in the popular Forminator WordPress plugin has put more than 600,000 websites worldwide at risk of remote takeover, according to recent disclosures from security firm Wordfence and independent researchers.
The vulnerability, tracked as CVE-2025-6463 and rated 8.8 (High) on the CVSS scale, allows unauthenticated attackers to delete arbitrary files from affected servers—potentially leading to full site compromise.
How the Vulnerability Works
The flaw exists in all Forminator versions up to and including 1.44.2. It stems from insufficient validation in the plugin’s handling of file deletions during form submission processing.
Attackers can craft a form submission containing a malicious file path; when the submission is deleted—either manually by an administrator or automatically by plugin settings—the referenced file is also deleted.
| Field | Value |
| CVE-ID | CVE-2025-6463 |
| Plugin Name | Forminator Forms – Contact Form, Payment Form & Custom Form Builder |
| Affected Versions | < ... |
Copyright of this story solely belongs to gbhackers . To see the full text click HERE