Vulnerability Management, Threat Intelligence

Widespread WordPress site takeover possible with plugin flaw

SecurityWeek reports that more than 400,000 WordPress sites using the Forminator plugin for form and poll creation could be hijacked in attacks exploiting the plugin's critical arbitrary file deletion vulnerability, tracked as CVE-2025-6463.

Threat actors could leverage the flaw — which stems from inadequate value sanitization conducted by the Forminator plugin's function for saving form entry fields to the database — to remove specific arbitrary files on the server upon the removal of a form, according to WordPress security firm Defiant. "While this vulnerability does require a step of passive or active interaction to exploit, we believe that form submission deletion, especially if created to appear spammy, is a very likely situation to occur, making this vulnerability a prime target for attackers," said Defiant. Admins have been urged to promptly implement Forminator version 1.44.3, which addresses the issue through the integration of a file path check within the delete functionality.

Related

New CVE working groups unveiled

MITRE Corporation's Common Vulnerabilities and Exposures program had its board introduce a pair of new forums to strengthen the initiative's future following the Cybersecurity and Infrastructure Security Agency's last-minute decision in April to fund the program for the next 11 months, Infosecurity Magazine reports.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BackdoorBotnetBrute ForceCovert ChannelsDeepfakeDenial of ServiceDictionary AttackDisruptionDistributed ScansDumpSec

You can skip this ad in 5 seconds