- Experts find a way to trick Forminator into deleting a core WordPress file
- This process would trigger the site’s setup, where hackers can take it over
- A patch is available, and users are advised to apply it
A popular WordPress plugin active on hundreds of thousands of websites was found to be carrying a high-severity vulnerability which could allow threat actors to fully take over compromised websites.
Forminator is a website builder plugin which allows WordPress operators to add custom contact, feedback, quizzes, surveys, polls, and payment forms. Everything is drag-and-drop and thus user-friendly, and plays well with many other plugins.
Recently, a security researcher with the alias ‘Phat RiO – BlueRock’ found the plugin had insufficient validation and sanitation of form field input vulnerability, as well as an unsafe file deletion logic. It could be abused to insert a custom file into any field, which would (after a few steps) force Forminator into deleting the core WordPress file. As a result, the entire website enters the “setup” stage, where the attacker can take it over.
How to stay safe
“Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control,” noted experts at Wordfence, a WordPress security project.
The vulnerability is tracked as CVE-2025-6463, and has a severity score of 8.8/10 – high. All versions up to 1.44.2 are vulnerable. As per WordPress.org data, there are more than 600,000 active websites using this plugin, making the attack surface rather large.
The first clean version is 1.44.3, and the plugin’s vendors, WPMU DEV, is urging all users to apply it as soon as possible. BleepingComputer says since the patch was released, the plugin was downloaded 200,000 times, “but it is unclear how many are currently vulnerable to exploitation”.
To mitigate the risk of attack, website admins should upgrade their Forminator plugin to the newest version, or disable and delete the plugin altogether. Generally speaking, WordPress as a platform is considered safe, with various plugins and themes being the weakest link in this security chain.
That being said, WordPress users are advised to only keep those plugins and themes that they’re using, ensuring these are updated regularly, while disabling and deleting all others.
