- Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@wordfence.com
- CWE-73
- Hype score
- Not currently trending
Kritikus sebezhetőség a Forminator WordPress bővítményben 2025 júniusában komoly biztonsági riasztást adtak ki a Wordfence kutatói és más, független szakértők a népszerű Forminator WordPress-bővítménnyel kapcsolatban. A sebezhetőség – amely a CVE-2025-646
@linuxmint_hun
10 Jul 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-6463: The Forminator Forms plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to 1.44.2. Attackers can include arbitrary file paths in a form submission and perform remote code execution. https://t.co/T5NSv2SEM9
@ZeroDayFacts
8 Jul 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-6463 (CVSS:8.8, HIGH) is Awaiting Analysis. The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary ..https://t.co/nGrb3fDRUx #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
7 Jul 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-6463
@transilienceai
7 Jul 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-6463
@transilienceai
6 Jul 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-6463
@transilienceai
5 Jul 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-6463
@transilienceai
5 Jul 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-6463: Critical Forminator Plugin Flaw Puts 600,000 WordPress Sites at Risk #WordPress #CVE20256463 #ForminatorPlugin #WebsiteSecurity #CyberSecurity #SiteTakeover #PatchNow #VulnerabilityAlert #WPPlugins #InfoSec https://t.co/6CVQZSgcaT
@cyashadotcom
4 Jul 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks. The security issue is tracked as CVE-2025-6463 and has a high-severity impact (CVSS 8.8 score). https://t.co/s3NWmvpDEz https://t.co/
@riskigy
4 Jul 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-6463
@transilienceai
4 Jul 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
The Forminator plugin for WordPress has a critical vulnerability (CVE-2025-6463) allowing unauthenticated arbitrary file deletion, potentially leading to full site takeover. This flaw affects all versions up to 1.44.2 and has a CVSS score of 8.8. https://t.co/b9yn91qvPv
@securityRSS
3 Jul 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
.@IonutArghire: Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover | https://t.co/PYHVulcvmo @securityweek "The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw ..." https://t.co/mySDUHKm3x
@VoxOptima
3 Jul 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A high-severity vulnerability (CVE-2025-6463, CVSS 8.8) in the Forminator plugin could lead to total website takeovers, impacting over 600,000 WordPress sites! A flawed input validation process allows attackers to delete critical files. https://t.co/jineWPwOwH
@The4n6Analyst
3 Jul 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
The Forminator plugin for WordPress has a critical vulnerability (CVE-2025-6463) allowing unauthenticated file deletion, affecting all versions up to 1.44.2, potentially enabling attackers to take over websites by deleting wp-config.php. #Security https://t.co/fw7OuDxj1e
@Strivehawk
3 Jul 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en complemento de WordPress ❗CVE-2025-6463 ➡️Más info: https://t.co/Dfn9ev3lnh https://t.co/5xegZUZo8A
@CERTpy
2 Jul 2025
168 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-6463 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path vali… https://t.co/p5ZZS1pju4
@CVEnew
2 Jul 2025
661 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-6463: HIGH] The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entr...#cve,CVE-2025-6463,#cybersecurity https://t.co/kl2vPahXJT http
@CveFindCom
2 Jul 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:incsub:forminator:*:*:*:*:free:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "9BE163FA-F920-4268-9E59-9CD1C5063DD7",
"versionEndExcluding": "1.44.3"
}
],
"operator": "OR"
}
]
}
]