Widespread WordPress site takeover possible with plugin flaw

SecurityWeek reports that more than 400,000 WordPress sites using the Forminator plugin for form and poll creation could be hijacked in attacks exploiting the plugin's critical arbitrary file deletion vulnerability, tracked as CVE-2025-6463.

Threat actors could leverage the flaw — which stems from inadequate value sanitization conducted by the Forminator plugin's function for saving form entry fields to the database — to remove specific arbitrary files on the server upon the removal of a form, according to WordPress security firm Defiant. "While this vulnerability does require a step of passive or active interaction to exploit, we believe that form submission deletion, especially if created to appear spammy, is a very likely situation to occur, making this vulnerability a prime target for attackers," said Defiant. Admins have been urged to promptly implement Forminator version 1.44.3, which addresses the issue through the integration of a file path check within the delete functionality.