CVE-2025-6463
published 2025-07-02CVE-2025-6463: The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file…
PriorityP262high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
10.54%
95.2th percentile
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axios | axios | >= 0 < 0.30.0 | 0.30.0 |
| axios | axios | >= 1.0.0 < 1.8.2 | 1.8.2 |
| incsub | forminator | < 1.44.3 | 1.44.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target the 'entry_delete_upload_files' function in the Forminator Forms plugin for WordPress (versions up to and including 1.44.2) — unauthenticated attackers can supply arbitrary file paths in a form submission, which are deleted when the submission is removed (by admin or auto-deletion). ↗
- →Monitor for deletion of critical WordPress files such as wp-config.php, which can be triggered by this vulnerability and lead to remote code execution. ↗
- →Alert on exploitation attempts that result in deletion of any file on the web server via the Forminator plugin's unauthenticated arbitrary file deletion flaw, potentially enabling full site compromise. ↗
- ·The file deletion is not triggered immediately upon form submission — it occurs only when the form submission is deleted, either by an Administrator or via auto-deletion configured in plugin settings. Detection must account for this deferred trigger. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w787-9chh-w9q4: The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insuffici
ghsa_unreviewed·2025-07-02
CVE-2025-6463 [HIGH] CWE-73 GHSA-w787-9chh-w9q4: The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insuffici
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
GHSA
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
ghsa·2025-03-07
CVE-2025-27152 [HIGH] CWE-918 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
### Summary
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463
A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if `baseURL` is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.
### Details
Consider the following code snippet:
```js
import axios from "axios";
const internalAPIClient = axios.create({
baseURL: "http://example.test/api/v1/users/",
headers: {
"X-API-KEY": "1234567890",
},
});
No detection rules found.
No public exploits indexed.
2025-07-02
Published