CVE-2025-6463 is a vulnerability identified in the Forminator Forms plugin for WordPress, versions up to and including 1.44.2. The flaw resides in the 'entry_delete_upload_files' function, which inadequately validates file paths provided in form submissions. This insufficient validation allows an unauthenticated attacker to specify arbitrary file paths during form submission. When a form submission is deleted—either manually by an administrator or automatically via plugin settings—the specified files are deleted from the server. This arbitrary file deletion can be weaponized to remove critical WordPress files such as wp-config.php, potentially leading to remote code execution by destabilizing the application or enabling attackers to upload malicious code. The vulnerability is remotely exploitable over the network without authentication, though it requires user interaction in the form of submitting a crafted form. The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity. No public exploits have been reported yet, but the risk is significant given the plugin's popularity and the critical nature of the affected files. The vulnerability is categorized under CWE-73 (External Control of File Name or Path). No official patches have been linked yet, so users must apply mitigations promptly.

The impact of CVE-2025-6463 is severe for organizations running WordPress sites with the vulnerable Forminator Forms plugin. Successful exploitation can lead to arbitrary deletion of files on the web server, including critical configuration files like wp-config.php. This can cause site outages (availability impact), data breaches (confidentiality impact), and unauthorized modifications or remote code execution (integrity impact). The ability for unauthenticated attackers to trigger this via form submissions increases the attack surface, especially for public-facing websites. Organizations relying on these forms for contact, payment, or custom data collection are at risk of service disruption and compromise. The vulnerability could be exploited to deface websites, steal sensitive data, or pivot to deeper network intrusion. The lack of authentication requirement and ease of exploitation make this a high-risk threat globally, particularly for businesses with high web traffic and sensitive data processed through these forms.

1. Immediately disable or restrict the deletion of form submissions in the Forminator Forms plugin until a patch is available. 2. Implement web application firewall (WAF) rules to detect and block suspicious form submissions containing file path traversal patterns or unexpected file path parameters. 3. Restrict file system permissions for the WordPress installation to prevent deletion of critical files by the web server user. 4. Monitor logs for unusual deletion activities or form submissions with suspicious payloads. 5. Educate administrators to avoid automatic deletion settings that could trigger file removals without manual oversight. 6. Regularly back up WordPress files and databases to enable quick recovery in case of file deletion. 7. Once available, promptly apply official patches from the plugin vendor. 8. Consider isolating the WordPress environment using containerization or sandboxing to limit the blast radius of potential exploitation.