If you run a WordPress site and use the Forminator plugin, there’s a major vulnerability you need to know about. A new exploit—CVE-2025-6463—was just disclosed, and it’s already affecting hundreds of thousands of websites.
This one’s serious: it lets attackers delete any file on your site, which can easily lead to complete site takeover. No login, no authentication, no fancy hacking required. Just a few lines of code—and boom—your site could be gone.
What is CVE-2025-6463?
This vulnerability affects the Forminator plugin (by WPMU DEV), which is used by over 600,000 WordPress sites to build contact forms, quizzes, and polls. The bug is present in versions 1.29.2 and earlier, and lets unauthenticated users delete arbitrary files on your server—like wp-config.php.
Why is that a big deal? Because once that file’s gone, WordPress will treat your site like it’s brand new. Attackers can then walk through the install wizard and set up a fresh admin account—one they control.
It’s the WordPress equivalent of breaking in through the back door, locking you out, and changing the keys.
How Bad Is It?
Pretty bad. It has a CVSS score of 9.8 (out of 10), which means it’s classified as critical. And because it’s already being exploited in the wild, this isn’t a theoretical issue—it’s active.
Wordfence and other security researchers are seeing this vulnerability being hit hard right now, especially by bots scanning for vulnerable sites.
How Does It Work?
The bug comes down to poor input validation. Forminator didn’t properly sanitize the file paths when deleting forms—so someone could trick it into deleting system files instead.
With the right payload, an attacker can:
Wipe out critical files Reset your site Create a new admin account Take control of your WordPress dashboard Drop in malware or phishing pages
All without needing to be logged in.
What Should You Do?
If you’re running Forminator on your site, here’s what I recommend:
Update the plugin immediately to version 1.29.3 or newer. Check your site’s file integrity. Look for missing or recently changed files (especially wp-config.php, .htaccess, or core files). Use a Web Application Firewall (WAF) like Wordfence or Cloudflare to block malicious requests. Review your users list to make sure no new admins were added. Restore from a backup if your site was compromised. And if you don’t have backups… now’s the time to start.
Lessons Learned
This is one of those moments that reminds us how fragile a WordPress site can be when plugins aren’t updated. You could be running a tight ship, and one outdated plugin can sink it.
The Forminator team responded quickly and released a patch—but a lot of sites still haven’t updated. If you manage multiple sites, now’s the time to check every one of them.
Also: stop putting off backups. Automate them. Test them. You’ll never regret having one.
Sources if You Want to Dive Deeper:
