A series of critical vulnerabilities have been discovered in the popular Forminator WordPress plugin, which is used by hundreds of thousands of websites to create contact forms, payment forms, and other interactive elements. These vulnerabilities have put over 400,000 to 600,000 WordPress websites at risk of remote takeover and other severe attacks.
Key Vulnerabilities
Arbitrary File Deletion (CVE-2025-6463)
• Severity: High (CVSS 8.8)
• Affected Versions: All versions up to and including 1.44.2
• How it works: Unauthenticated attackers can craft a malicious form submission that, when deleted (either manually or automatically), causes the plugin to delete any file on the server, including critical files like wp-config.php. Deleting this file can force WordPress into setup mode, allowing attackers to hijack the site by connecting it to a database they control.
• Patched Version: 1.44.3
Arbitrary File Upload (CVE-2024-28890)
• Severity: Critical (CVSS 9.8)
• Affected Versions: Up to and including 1.29.0 (free version 1.24.6 and below are especially noted)
• How it works: Insufficient file validation during uploads allows attackers to upload and execute malicious files on the server, potentially leading to full site compromise.
• Patched Version: 1.29.3 (users are urged to update to at least this version)
SQL Injection (CVE-2024-31077)
• Affected Versions: Up to 1.29.3
• How it works: Attackers with admin privileges can execute arbitrary SQL queries, risking database compromise.
Cross-Site Scripting (CVE-2024-31857)
• Affected Versions: Up to 1.15.4
• How it works: Attackers can inject malicious scripts into browsers by tricking users into clicking crafted links.
Scope of the Issue
Estimates range from 400,000 to over 600,000 websites impacted. Attackers can potentially take over entire sites, steal sensitive data, or use compromised sites for further attacks. As of the latest reports, there have been no widespread public exploitations, but the risk remains very high due to the ease of exploitation and the number of unpatched sites.
Recommendations
Site administrators must update the Forminator plugin to at least version 1.44.3 to patch the arbitrary file deletion vulnerability, and to 1.29.3 or later for earlier vulnerabilities.
