{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6463", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-20T22:02:55.475Z", "datePublished": "2025-07-02T04:24:56.446Z", "dateUpdated": "2026-04-08T16:59:32.467Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:32.467Z"}, "affected": [{"vendor": "wpmudev", "product": "Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.44.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc9b4cb-d36b-4693-a7b9-1dad123b6639?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249"}, {"url": "https://plugins.trac.wordpress.org/changeset/3319860/forminator#file3"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Tan Phat"}], "timeline": [{"time": "2025-06-25T17:42:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-01T16:22:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T13:16:56.357561Z", "id": "CVE-2025-6463", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:17:02.392Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6463", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-02T13:16:56.357561Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:16:59.112Z"}}], "cna": {"title": "Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Tan Phat"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wpmudev", "product": "Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.44.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-25T17:42:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-01T16:22:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc9b4cb-d36b-4693-a7b9-1dad123b6639?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249"}, {"url": "https://plugins.trac.wordpress.org/changeset/3319860/forminator#file3"}], "descriptions": [{"lang": "en", "value": "The Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:32.467Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6463", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:32.467Z", "dateReserved": "2025-06-20T22:02:55.475Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-02T04:24:56.446Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:incsub:forminator:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "9BE163FA-F920-4268-9E59-9CD1C5063DD7", "versionEndExcluding": "1.44.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El complemento Forminator Forms \u2013 Contact Form, Payment Form &amp; Custom Form Builder para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n 'entry_delete_upload_files' en todas las versiones hasta la 1.44.2 incluida. Esto permite que atacantes no autenticados incluyan rutas de archivo arbitrarias en el env\u00edo de un formulario. El archivo se eliminar\u00e1 al eliminar el formulario, ya sea por un administrador o mediante la eliminaci\u00f3n autom\u00e1tica determinada por la configuraci\u00f3n del complemento. Esto puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-6463", "lastModified": "2025-07-07T14:28:51.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-07-02T05:15:27.737", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3319860/forminator#file3"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc9b4cb-d36b-4693-a7b9-1dad123b6639?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:11:16.214122+00:00", "value": {"mitigation_remediation": ["Upgrade the Forminator plugin to the latest available release that contains the file\u2011path validation fix.", "If upgrading is not immediately possible, disable the plugin\u2019s automatic entry deletion feature and restrict form submissions to authenticated users only.", "Enforce stricter file permissions or deploy a web\u2011application firewall rule that blocks deletion of critical WordPress files such as wp-config.php."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the Forminator plugin in versions up to and including 1.44.2 are affected. The vulnerability exists in the wpmudev:Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder product and affects any WordPress environment where this plugin is installed.", "description_and_impact": "The Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin fails to validate file paths in the entry_delete_upload_files function, allowing an unauthenticated attacker to specify any file when submitting a form. When the form entry is deleted\u2014either by an administrator or automatically\u2014the plugin deletes the file referenced by that path. If the attacker chooses a critical WordPress file such as wp-config.php or any plugin file, the loss of that file can be leveraged to execute arbitrary code on the site.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity flaw. The EPSS score of less than 1% suggests a very low probability of exploitation at the time of this analysis, and the issue is not listed in CISA\u2019s KEV catalog. Nevertheless, the flaw can be exploited by unauthenticated users via the public form submission endpoint, and the attack path requires only form submission, making the vulnerability straightforward to use if an attacker can target a site that allows form submissions. Once the form entry is deleted, the arbitrary file path provided will be interpreted and removed by the plugin, potentially enabling remote code execution."}}}}, "created": "2026-04-22T01:15:07.312590+00:00", "updated": "2026-04-22T01:15:07.312600+00:00", "vendors": []}