600,000 WordPress instances can be exploited to a breach in Forminator plug-in
A high-risk vulnerability in the 600,000 times installed WordPress plug-in Forminator allows full compromise.
(Image: Primakov/Shutterstock.com)
The WordPress plug-in Forminator has more than 600,000 installations. IT security researchers have discovered a vulnerability in it that could allow attackers to take over vulnerable instances completely. However, an update to close the gap is already available.
The IT researchers at Wordfence warn of the vulnerability in a blog post. The vulnerability in the WordPress plug-in Forminator allows unauthenticated attackers to specify arbitrary file paths in a form submission, causing Forminator to delete the specified file if the submission is deleted. This allows them to delete “wp-config.php”, for example, and subsequently execute malicious code under certain circumstances (CVE-2025-6463 / no EUVD yet, CVSS 8.8, risk “high”).
Detailed information on the vulnerability
The function “entry_delete_upload_files” does not sufficiently check passed path information. Unregistered malicious actors can specify arbitrary file paths in a form submission, the file is then removed when the submitted form is deleted. This can be triggered by WordPress admins or automatically by default in the plugin settings – Wordfence does not explain what is set there by default.
Deleting “wp-config.php”, for example, puts the WordPress instance into setup state, allowing attackers to take it over completely if they connect it to a database under their control. This also allows malicious actors to execute arbitrary code. In their analysis, the IT researchers go even further into the source code and discuss the problem in more detail.
Videos by heise
“Even though this vulnerability requires a step of passive or active interaction to exploit, we assume that the deletion of forms is a very likely situation to occur, especially if they look a lot like spam,” write the analysts. This makes the vulnerability a desirable target for attackers. Wordfence recommends those affected to ensure that their WordPress instances are already updated as quickly as possible. Forminator is vulnerable up to version 1.44.2, the bug fix comes with version 1.44.3 from Monday of this week or newer.
A vulnerability in the WordPress plug-in AI Engine became known in mid-June. It is used on more than 100,000 websites, and the vulnerability allowed impacted WordPress instances to be completely compromised.
(dmk)
