- Experts find a way to trick forminator to delete a core WordPress file
- This process would trigger the site’s setup where hackers can take over
- A patch is available and users are advised to apply it
A popular WordPress plugin that was active on hundreds of thousands of sites was found to carry a high difficulty, which could allow threat actors to fully take over compromised sites.
Forminator is a site builder plugin that allows WordPress operators to add custom contact, feedback, quizzes, investigations, polls and payment forms. Everything is drag-and-slip and thus user-friendly and plays well with many other plugins.
Recently, a security researcher with aka ‘Phat Rio – Bluerock’ found that plugin had insufficient validation and sanitation of form input -vulnerability as well as an unsafe file division logic. Inserting a custom file can be abused in any field that (after a few steps) forces the forminator to delete the central WordPress file. As a result, the entire site enters the “Setup” stage where the striker can take it over.
How to remain safe
“Deleting WP- Config.php forces the site into a setup mode, giving an attacker the opportunity to initiate a site’s acquisition by connecting it to a database under their control,” noted experts at Wordfence, a WordPress security project.
Vulnerability is traced as CVE-2025-6463 and has a severity of 8.8/10-high. All versions up to 1.44.2 are vulnerable. Per. WordPress.org -Data there are more than 600,000 active sites using this plugin, making the attack surface quite large.
The first clean version is 1.44.3, and plugin’s suppliers, WPMU Dev, encourage all users to use it as soon as possible. Bleeping computer Saying since the patch was released, the plugin was downloaded 200,000 times, “but it is unclear how many are currently vulnerable to exploitation”.
To mitigate the risk of attack, site administrators need to upgrade their Forminator plugin to the latest version or deactivate and delete the plugin completely. In general, WordPress is considered a platform as secure, where different plugins and themes are the weakest link in this security chain.
That said, WordPress users are advised to keep only the plugins and themes they use, ensuring that these are updated regularly while disabling and deleting everyone else.
