Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-07-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin fails to validate file paths in the entry_delete_upload_files function, allowing an unauthenticated attacker to specify any file when submitting a form. When the form entry is deleted—either by an administrator or automatically—the plugin deletes the file referenced by that path. If the attacker chooses a critical WordPress file such as wp-config.php or any plugin file, the loss of that file can be leveraged to execute arbitrary code on the site.

Affected Systems

All WordPress sites running the Forminator plugin in versions up to and including 1.44.2 are affected. The vulnerability exists in the wpmudev:Forminator Forms – Contact Form, Payment Form & Custom Form Builder product and affects any WordPress environment where this plugin is installed.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity flaw. The EPSS score of less than 1% suggests a very low probability of exploitation at the time of this analysis, and the issue is not listed in CISA’s KEV catalog. Nevertheless, the flaw can be exploited by unauthenticated users via the public form submission endpoint, and the attack path requires only form submission, making the vulnerability straightforward to use if an attacker can target a site that allows form submissions. Once the form entry is deleted, the arbitrary file path provided will be interpreted and removed by the plugin, potentially enabling remote code execution.

Generated by OpenCVE AI on April 22, 2026 at 01:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Forminator plugin to the latest available release that contains the file‑path validation fix.
  • If upgrading is not immediately possible, disable the plugin’s automatic entry deletion feature and restrict form submissions to authenticated users only.
  • Enforce stricter file permissions or deploy a web‑application firewall rule that blocks deletion of critical WordPress files such as wp-config.php.

Generated by OpenCVE AI on April 22, 2026 at 01:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19711 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00213}

 epss

{'score': 0.00215}

Mon, 07 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Incsub
Incsub forminator
CPEs cpe:2.3:a:incsub:forminator:*:*:*:*:free:wordpress:*:*
Vendors & Products Incsub
Incsub forminator

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Incsub Forminator
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:32.467Z

Reserved: 2025-06-20T22:02:55.475Z

Link: CVE-2025-6463

cve-icon Vulnrichment

Updated: 2025-07-02T13:16:59.112Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T05:15:27.737

Modified: 2025-07-07T14:28:51.123

Link: CVE-2025-6463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses