A critical vulnerability in the Forminator WordPress plugin could enable attackers to delete arbitrary files, risking site takeover on over 400,000 websites. Users are urged to update to the patched version 1.44.3 to mitigate the exploit. #CVE-2025-6463 #Forminator #WordPressSecurity
Keypoints
- The vulnerability exists due to insufficient validation of file paths in the Forminator plugin.
- Attackers can exploit the flaw without authentication to delete arbitrary files, including critical server files.
- The issue was fixed in version 1.44.3, released on June 30, with improved file path checks.
- Despite the fix, over 400,000 sites remain vulnerable due to delayed updates.
- The vulnerability was reported through the Wordfence Bug Bounty Program, earning a reward of $8,100.