cbcvebase.
CVE-2025-6463
published 2025-07-02

CVE-2025-6463: The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file…

PriorityP262high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
10.54%
95.2th percentile
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affected

3 ranges
VendorProductVersion rangeFixed in
axiosaxios>= 0 < 0.30.00.30.0
axiosaxios>= 1.0.0 < 1.8.21.8.2
incsubforminator< 1.44.31.44.3

Detection & IOCsextracted from sources · hover to see the quote

  • Target the 'entry_delete_upload_files' function in the Forminator Forms plugin for WordPress (versions up to and including 1.44.2) — unauthenticated attackers can supply arbitrary file paths in a form submission, which are deleted when the submission is removed (by admin or auto-deletion).
  • Monitor for deletion of critical WordPress files such as wp-config.php, which can be triggered by this vulnerability and lead to remote code execution.
  • Alert on exploitation attempts that result in deletion of any file on the web server via the Forminator plugin's unauthenticated arbitrary file deletion flaw, potentially enabling full site compromise.
  • ·The file deletion is not triggered immediately upon form submission — it occurs only when the form submission is deleted, either by an Administrator or via auto-deletion configured in plugin settings. Detection must account for this deferred trigger.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.