Full Report
A severe flaw identified in the Forminator WordPress plugin allows arbitrary file deletion and potential site takeover
Analysis Summary
# Vulnerability: Forminator WordPress Plugin Arbitrary File Deletion Leading to Site Takeover
## CVE Details
- CVE ID: CVE-2025-6463
- CVSS Score: *Score not explicitly provided in the text, assumed High based on impact.*
- CWE: *Not explicitly provided in the text.*
## Affected Systems
- Products: WordPress Plugin Forminator
- Versions: Versions up to and including 1.44.2
- Configurations: Any WordPress installation using the vulnerable version of the Forminator plugin.
## Vulnerability Description
The vulnerability is an arbitrary file deletion flaw stemming from insufficient input validation and flawed deletion logic within the Forminator plugin. Unauthenticated users can submit arbitrary file paths disguised within standard form submission fields (like the 'name' input). When the specific form submission containing this path is subsequently deleted (either manually by an admin or automatically via plugin settings), the corresponding file on the server is deleted. Attackers can target the critical configuration file `wp-config.php`. Deleting this file effectively puts the WordPress site into setup mode, allowing the attacker to hijack the site by connecting it to a database controlled by the attacker, leading to full site compromise and potential Remote Code Execution (RCE).
## Exploitation
- Status: *Not explicitly stated if exploited in the wild, but the threat is severe, implying high exploitability.*
- Complexity: Low (Leverages unauthenticated input manipulation followed by a scheduled deletion action).
- Attack Vector: Network (via form submission).
## Impact
- Confidentiality: High (Leads to full site takeover and potential access to site secrets/database contents).
- Integrity: High (Allows complete modification and control over the website).
- Availability: High (Deletion of `wp-config.php` immediately renders the site inaccessible/broken until restored or reconfigured).
## Remediation
### Patches
- The vulnerability is patched in **Forminator versions after 1.44.2**. (Users should update immediately to the latest available version).
### Workarounds
- Due to the severity and scope (600,000 sites affected), immediate patching is the primary recommendation. No specific zero-day workarounds were detailed, but minimizing form submissions or disabling the plugin temporarily could serve as a short-term measure until patching is complete.
## Detection
- Indicators of compromise: Sudden loss of site functionality, site redirecting to a WordPress setup screen, unexpected deletion of critical system/configuration files (specifically `wp-config.php`).
- Detection methods and tools: Monitoring file integrity for changes to core WordPress files, reviewing server access and application logs for unusual form submissions targeting file deletion vectors.
## References
- Vendor advisories: Information derived from a report via the Wordfence Bug Bounty Program.
- Relevant links - defanged:
- News article: hxxps://www.infosecurity-magazine.com/news/wordpress-plugin-flaw-sites-file/