- Experts find a way to deceive the forminator to delete a basic WordPress file
- This process would trigger the site’s configuration, where hackers can take it back
- A corrective is available and users are invited to apply it
A popular WordPress plugin active in hundreds of thousands of websites has proven to transport a high severity vulnerability that could allow threat actors to fully resume compromise websites.
FORMINATOR is a website builder plugin that allows WordPress operators to add contacts, comments, quizs, surveys, surveys and personalized payment forms. Everything is drag and drop and therefore user-friendly, and plays well with many other plugins.
Recently, a security researcher with the alias “Phat Rio – Bluerock” found that the plugin had insufficient validation and sanitation of the vulnerability of the fields in the form of form, as well as a logic of deleting dangerous files. It could be abused to insert a personalized file in any field, which (after a few steps) would force the forminator in deleting the basic WordPress file. Consequently, the entire website between the stadium of “configuration”, where the attacker can take it back.
How to stay safe
“The deletion of wp-config.php forces the site in a configuration state, allowing an attacker to initiate an takeover of the site by connecting it to a database under their control,” noted WordFence experts, a WordPress security project.
Vulnerability is followed in the form of CVE-2025-6463 and has a gravity score of 8.8 / 10-high. All versions up to 1.44.2 are vulnerable. According to WordPress.org data, there are more than 600,000 active websites using this plugin, which makes the attack surface quite large.
The first clean version is 1.44.3 and the plugin suppliers, WPMU dev, urges all users to apply it as soon as possible. Bleeping Compompute Said that since the patch is released, the plugin has been downloaded 200,000 times, “but we do not know how vulnerable to exploitation are currently vulnerable”.
To alleviate the risk of attack, websites should upgrade their formal plugin to the latest version, or completely deactivate the plugin. In general, WordPress as a platform is considered safe, various plugins and themes being the weakest link in this security chain.
That being said, WordPress users are advised to keep only the plugins and themes they use, ensuring that these are updated regularly, while deactivating and deleting all the others.
