- Experts find a way to deceive Forminator to delete a WordPress central file
- This process would trigger the site configuration, where computer pirates can take it
- There is an available patch and users are recommended to apply it
It was discovered that a popular WordPress complement active in hundreds of thousands of websites carried a high severity vulnerability that could allow threat actors to completely assume the compromised websites.
Forminator is a website builder complement that allows WordPress operators to add personalized contact, comments, questionnaires, surveys, surveys and payment forms. Everything is dragged and released and, therefore, easy to use, and play well with many other accessories.
Recently, a security researcher with the alias ‘Phat Rio – Bluerock’ discovered that the complement had insufficient validation and the sanitation of the form input vulnerability, as well as a logic of elimination of insecure files. It could be abused of inserting a personalized file in any field, which (after a few steps) forced Forminator to delete the central WordPress file. As a result, the entire website enters the “configuration” stage, where the attacker can take over.
How to stay safe
“Eliminate WP-Config.php forces the site to a configuration state, allowing an attacker to start an acquisition site by connecting it to a database under its control,” said Wordfence experts, a WordPress security project.
Vulnerability is tracked as CVE-2025-6463, and has a severity score of 8.8/10-alt. All versions of up to 1.44.2 are vulnerable. According to WordPress.org data, there are more than 600,000 active websites that use this complement, which makes the attack surface quite large.
The first clean version is 1.44.3, and complement suppliers, WPMU DEV, urge all users to apply it as soon as possible. Bleepingcomputer He says that since the patch was launched, the complement was downloaded 200,000 times, “but it is not clear how many are currently vulnerable to exploitation.”
To mitigate the attack risk, the website administrators must update their forminator complement to the most recent version, or disable and eliminate the complement completely. In general terms, WordPress as a platform is considered safe, with several accessories and themes that are the weakest link in this security chain.
That said, WordPress users are advised to only maintain those accessories and issues they are using, ensuring that they are updated regularly, while disabled and eliminating everyone else.
