CVE-2025-6463 Overview
CVE-2025-6463 is an arbitrary file deletion vulnerability affecting the Forminator Forms plugin for WordPress. The vulnerability exists in the entry_delete_upload_files function due to insufficient file path validation, allowing unauthenticated attackers to include arbitrary file paths in form submissions. When the form submission is later deleted—either manually by an administrator or automatically via plugin settings—the referenced file is deleted from the server. This vulnerability can be leveraged to achieve remote code execution by deleting critical WordPress files such as wp-config.php.
Critical Impact
Unauthenticated attackers can trigger deletion of arbitrary files on the WordPress server, potentially leading to complete site compromise and remote code execution.
Affected Products
- Incsub Forminator (WordPress Plugin) versions up to and including 1.44.2
- WordPress installations using the Forminator Forms plugin
- Sites using Forminator for Contact Forms, Payment Forms, and Custom Form Builder functionality
Discovery Timeline
- July 2, 2025 - CVE-2025-6463 published to NVD
- July 7, 2025 - Last updated in NVD database
Technical Details for CVE-2025-6463
Vulnerability Analysis
This vulnerability falls under CWE-73 (External Control of File Name or Path), a class of file system vulnerabilities where attackers can manipulate file paths processed by an application. The flaw resides in the entry_delete_upload_files function within the Forminator plugin's form entry model class.
When users submit forms through Forminator, the plugin stores metadata about uploaded files. The vulnerable function fails to properly validate or sanitize the file paths stored in form submissions before attempting to delete them. This allows attackers to inject path traversal sequences or absolute file paths into the form data, pointing to arbitrary files on the server's file system.
The attack is particularly dangerous because it operates in two stages: first, the attacker submits a malicious form entry containing crafted file paths; second, the deletion occurs when the form entry is removed. This delayed execution means administrators may unknowingly trigger the file deletion when performing routine cleanup or when the plugin's auto-deletion feature activates based on configured retention settings.
Root Cause
The root cause of this vulnerability is the absence of proper input validation and path canonicalization in the entry_delete_upload_files function located in class-form-entry-model.php. The function accepts file path data from stored form entries without verifying that the paths correspond to legitimately uploaded files or that they remain within expected directories. This allows attackers to specify paths outside the intended upload directory, including critical system and WordPress configuration files.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by:
- Identifying a WordPress site using the vulnerable Forminator plugin
- Submitting a form with manipulated file upload metadata containing paths to critical files (e.g., ../../../wp-config.php)
- Waiting for the form submission to be deleted through either administrative action or automatic cleanup
The vulnerability gains additional severity because deleting wp-config.php forces WordPress into setup mode, allowing attackers to reconfigure the database connection and potentially achieve full remote code execution. The attack requires user interaction in the form of an administrator or automated process deleting the malicious form entry.
The vulnerability mechanism involves insufficient path validation in the form entry deletion handler. When form entries containing file upload references are deleted, the plugin attempts to remove associated files from the filesystem. However, the entry_delete_upload_files function does not verify that file paths are within expected boundaries, allowing attackers to craft submissions with arbitrary paths. For detailed technical analysis, see the WordPress Forminator Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-6463
Indicators of Compromise
- Unexpected deletion of WordPress core files, especially wp-config.php, .htaccess, or index.php
- Form submissions containing path traversal sequences (../) in file upload fields
- WordPress site entering setup/installation mode without administrator action
- Database connection errors following form entry deletions
Detection Strategies
- Monitor file integrity of critical WordPress files using checksums or file integrity monitoring solutions
- Review Forminator form entries for suspicious file path patterns before deletion
- Implement web application firewall rules to detect path traversal attempts in form submissions
- Audit plugin logs for unusual form submission patterns or file deletion activities
Monitoring Recommendations
- Enable comprehensive logging for the Forminator plugin and WordPress file operations
- Set up alerts for any modifications or deletions of wp-config.php and other critical files
- Monitor for sudden WordPress installation prompts which may indicate wp-config.php deletion
- Track form submission metadata for anomalous file path entries
How to Mitigate CVE-2025-6463
Immediate Actions Required
- Update Forminator Forms plugin to a version newer than 1.44.2 immediately
- Review and delete any suspicious form entries that may contain malicious file paths
- Temporarily disable auto-deletion of form entries until the plugin is patched
- Back up wp-config.php and other critical WordPress files
Patch Information
Incsub has released a security patch addressing this vulnerability. The fix implements proper file path validation in the entry_delete_upload_files function to ensure only legitimate uploaded files within expected directories can be deleted. Administrators should update to the latest available version of Forminator Forms through the WordPress plugin repository. The patch details can be reviewed at the WordPress Forminator Changeset.
Workarounds
- Disable the Forminator plugin entirely until patching is possible if form functionality is not critical
- Implement server-level file permissions to protect critical files from deletion by the web server process
- Use a Web Application Firewall (WAF) to filter form submissions containing path traversal patterns
- Manually review all form entries before deletion rather than relying on auto-delete functionality
# Protect wp-config.php with restrictive permissions
chmod 440 wp-config.php
chown root:www-data wp-config.php
# Create immutable backup of critical files (Linux)
cp wp-config.php wp-config.php.backup
chattr +i wp-config.php.backup
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
