Full Report
The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks. [...]
Analysis Summary
# Vulnerability: Forminator Plugin Arbitrary File Deletion Leading to Site Takeover
## CVE Details
- CVE ID: CVE-2025-6463
- CVSS Score: Not explicitly provided, but the impact suggests **High severity** (leading to site takeover).
- CWE: Not explicitly provided, likely related to Improper Access Control or Path Traversal.
## Affected Systems
- Products: Forminator plugin for WordPress
- Versions: Versions prior to 1.44.3
- Configurations: Any WordPress installation using the vulnerable version of the Forminator plugin.
## Vulnerability Description
The vulnerability is an Arbitrary File Deletion flaw within the Forminator WordPress plugin. This flaw, when exploited, allows an attacker to delete arbitrary files on the server by manipulating file deletion requests, potentially leading to a full site takeover if critical files are deleted or modified. The vulnerability details suggest an issue where file paths are not properly validated, allowing deletion outside the intended directory structure (e.g., outside the WordPress uploads directory).
## Exploitation
- Status: No reports of active exploitation in the wild, but PoC details are public following disclosure.
- Complexity: The article suggests the exploitation potential is **High** due to "ease of exploitation."
- Attack Vector: Likely **Network** (via authenticated or unauthenticated web requests, although not specified, file deletion functionality usually requires some level of access).
## Impact
- Confidentiality: Potential impact if sensitive files are deleted or manipulated to gain further access.
- Integrity: **High**. Direct ability to delete arbitrary files on the system leads to loss of data integrity and site functionality.
- Availability: **High**. Deletion of core WordPress or plugin files can lead to a complete site outage/takeover.
## Remediation
### Patches
- **Forminator version 1.44.3** or later. This version implements a field type check and file path validation to restrict deletions solely to the WordPress uploads directory.
### Workarounds
1. Update the Forminator plugin immediately to version 1.44.3 or the latest available version.
2. If immediate patching is not possible, deactivate the Forminator plugin until an update can be applied.
## Detection
- Indicators of compromise (IOCs) are not detailed, but monitoring for unexpected file deletions or modifications within the WordPress installation, especially within the uploads directory, might be relevant post-disclosure.
## References
- Vendor Advisory: WPMU DEV (Implied via Wordfence report)
- Relevant Links:
- hxxps://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-arbitrary-file-deletion-vulnerability-in-forminator-wordpress-plugin/