CVE-2025-6463
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission DeletionThe Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
We have discovered 66,772 live websites that are affected by CVE-2025-6463.
Affected Software
| Product |  Forminator |
| Category | Wordpress Plugins |
| Vulnerable Domains | 66,772 live websites (100% of Forminator install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 130 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-73 External Control of File Name or PathDetails
- Published - Jul 2, 2025
- Updated - Jul 2, 2025
Credits
- Nguyen Tan Phat (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-6463 United States | 27,779 websites |
 Germany | 6,956 websites |
 France | 4,447 websites |
 GB | 3,761 websites |
 Denmark | 2,819 websites |
 Cyprus | 2,231 websites |
 Italy | 1,664 websites |
 Netherlands | 1,658 websites |
 South Africa | 1,362 websites |
 Poland | 1,160 websites |
Website Distribution by TLD
Number of websites using CVE-2025-6463| .com | 28,972 websites |
| .org | 3,582 websites |
| .co.uk | 3,408 websites |
| .de | 2,882 websites |
| .dk | 2,313 websites |
| .fr | 2,272 websites |
| .nl | 1,940 websites |
| .com.au | 1,597 websites |
| .it | 1,371 websites |
| .ca | 1,209 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-6463
Top websites that are affected by CVE-2025-6463. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *,*** | |
| ********.org | United States | *,*** | |
| ******.me | United States | *,*** | |
| **************.com | France | **,*** | |
| **********.com | United States | **,*** | |
| ********.it | Italy | **,*** | |
| *****.ru |  Russia | **,*** | |
| *****************.***.uk | GB | **,*** | |
| *******.org | United States | **,*** | |
| ******.com | Germany | **,*** |
FAQ
CVE-2025-6463 is External Control of File Name or Path in Forminator
A total of 66,772 websites have been identified as vulnerable to CVE-2025-6463, based on global website indexing conducted by WebTechSurvey.
The Forminator is affected by the CVE-2025-6463 vulnerability.
Forminator versions up to and including 1.44.2 are vulnerable to CVE-2025-6463.