CVE-2025-6463 is a high-severity vulnerability affecting the WordPress plugin 'Forminator Forms – Contact Form, Payment Form & Custom Form Builder' developed by wpmudev. The vulnerability arises from insufficient validation of file paths in the 'entry_delete_upload_files' function present in all versions up to and including 1.44.2. Specifically, unauthenticated attackers can submit arbitrary file paths through form submissions. When a form submission is deleted—either manually by an administrator or automatically via plugin settings—the plugin deletes the files at the specified paths without proper validation. This flaw enables attackers to delete arbitrary files on the server, including critical WordPress files such as wp-config.php. Deleting such files can lead to remote code execution (RCE) by destabilizing the WordPress environment or enabling attackers to upload malicious code or gain elevated privileges. The vulnerability is classified under CWE-73 (External Control of File Name or Path), indicating that external input controls file operations without sufficient validation. The CVSS v3.1 score is 8.8 (high), reflecting the vulnerability's network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the potential for severe damage is significant given the critical nature of files that can be deleted. The vulnerability affects all versions of the plugin up to 1.44.2, and no official patches or updates are referenced in the provided data, indicating that mitigation may require manual intervention or plugin updates once available.

For European organizations using WordPress sites with the vulnerable Forminator Forms plugin, this vulnerability poses a critical risk. Successful exploitation can lead to arbitrary file deletion, potentially removing essential configuration files like wp-config.php, which can disrupt website availability and integrity. This disruption can cause significant downtime, loss of customer trust, and potential data breaches if attackers leverage the vulnerability to execute remote code or escalate privileges. Given the widespread use of WordPress in Europe for business, government, and e-commerce websites, the impact could extend to critical infrastructure, financial services, and public sector portals. The ability for unauthenticated attackers to exploit this vulnerability remotely increases the risk of automated attacks and widespread exploitation. Additionally, the deletion of files can lead to data loss and service interruptions, affecting business continuity and compliance with European data protection regulations such as GDPR. Organizations may face reputational damage and regulatory penalties if customer data is compromised or service outages occur due to this vulnerability.

European organizations should immediately audit their WordPress installations to identify the presence of the Forminator Forms plugin and verify the version in use. Until an official patch is released, the following specific mitigations are recommended: 1) Disable or deactivate the Forminator Forms plugin to prevent exploitation; 2) Restrict access to WordPress administrative interfaces and form submission endpoints using web application firewalls (WAFs) and IP whitelisting to reduce exposure to unauthenticated attackers; 3) Implement strict file system permissions to limit the WordPress process's ability to delete or modify critical files such as wp-config.php; 4) Monitor logs for suspicious form submissions containing unusual file paths or deletion requests; 5) Regularly back up WordPress files and databases to enable rapid recovery in case of file deletion; 6) Employ security plugins that can detect and block malicious file operations; 7) Once available, promptly apply official patches or updates from wpmudev addressing this vulnerability; 8) Educate administrators about the risk and signs of exploitation to enable quick response. These measures go beyond generic advice by focusing on access control, monitoring, and containment specific to the nature of this vulnerability.