600K Sites at Risk: The Hidden WordPress Flaw That Could Destroy Your Business
“One form, one click, full site control.” That’s how easy it could be to lose your WordPress site to a cybercriminal today.
What Happened?
A critical vulnerability (CVE-2025-6463) has been discovered in the Forminator plugin, a popular WordPress tool used on over 600,000 websites. This isn’t a minor bug—it’s a high-severity flaw (CVSS 8.8) that could let anyone on the internet delete files from your site’s server—no login needed.
That means your site’s heart—its configuration, database, even security settings—could be wiped out in seconds.
And it’s already being weaponized.
How the Exploit Works — In Plain English
Forminator lets you create custom forms on your website (like contact forms, quizzes, polls). When someone submits a form, it can save uploaded files—like resumes or signatures.
But here’s where things go sideways:
The plugin didn’t properly check what files could be deleted when a submission was removed.
So a hacker could submit a form with a file path pointing to a critical file—like your wp-config.php file, the brain of your WordPress site.
Then? If the form is deleted (either automatically or by an admin)… 💥 that critical file is gone.
Now your site goes into setup mode, and guess who can jump in and reconfigure it? That’s right—the attacker.
Why This is a Big Deal
This is not just a plugin bug—it’s a golden key for attackers:
No login required
No prior knowledge of the site
Can lead to complete site takeover
Can be automated across thousands of WordPress sites
And since it relies on core file deletion, it’s stealthy. There’s no need to upload malware, just delete the right file and hijack the setup.
Who Found It and What’s Been Done
Props to security researcher Phat RiO – BlueRock, who responsibly disclosed the issue via the Wordfence Bug Bounty Program. They earned the highest reward to date—$8,100, and rightfully so.
The Forminator team (WPMU DEV) patched the issue in version 1.44.3, released on June 30, 2025.
Wordfence Premium users got a firewall rule four days earlier. Free users will get protection by July 26, so manual action is critical until then.
What You Should Do Right Now
If you run a WordPress site with Forminator installed, here’s your action list:
✅ Update Forminator to version 1.44.3 or later
✅ Check your form settings for any auto-deletion behaviors
✅ Look for unexpected file deletions
✅ Back up your wp-config.php and other critical files
✅ Install a WordPress firewall or security plugin (e.g., Wordfence)
Why This Keeps Happening
WordPress plugin vulnerabilities aren't going away. As your site grows, so does its attack surface.
Plugins offer power—but also risk. It’s critical to:
Stay up to date
Monitor plugin changelogs
Use threat detection tools
Back up regularly
Train your team (or yourself) to react fast
Even simple plugins can open doors wide enough for attackers to walk through—without even knocking.
Final Thoughts
This incident is a wake-up call. If you're running WordPress, your security isn't just about passwords and firewalls. It's about the tiny unchecked boxes in your plugins, the silent auto-deletes, and the line of code that nobody looked at… until now.
Don’t wait for the lights to go out.
Patch now. Monitor always. And remember—your website is only as secure as its weakest plugin.