1.0 Introduction
Recently, WordPress has released security updates to address a critical vulnerability (CVE-2025-6463) in the Forminator plugin – a popular WordPress tool active on over 600,000 websites.
2.0 Impact
This vulnerability allows anauthenticated remote attackers to delete arbitrary files on the server, including highly sensitive files such as wp-config.php. If exploited, the vulnerability can lead to complete site takeover, enabling attackers to hijack the WordPress installation and potentially execute arbitrary code.
3.0 Affected Products
- Forminator – Contact Form, Payment Form & Custom Form Builder all versions prior to 1.44.3
4.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the security updates released by Wordfence and apply the necessary updates.
Kindly refer to the following URL:
- https://plugins.trac.wordpress.org/changeset/3319860/forminator#file3
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc9b4cb-d36b-4693-a7b9-1dad123b6639?source=cve
Generally, we advise users of this device to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17.30 MYT
Web:
https://www.cybersecurity.my
5.0 References
- https://nvd.nist.gov/vuln/detail/CVE-2025-6463
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc9b4cb-d36b-4693-a7b9-1dad123b6639?source=cve
- https://plugins.trac.wordpress.org/changeset/3319860/forminator#file3
- https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249