A high-severity vulnerability was discovered in the Forminator WordPress plugin, potentially allowing hackers to take over compromised websites.
The vulnerability involved insufficient validation of form field input and an unsafe file deletion logic that could force Forminator to delete a core WordPress file, leading to a complete site takeover.
The issue is tracked as CVE-2025-6463 with a severity score of 8.8/10 and affects all versions up to 1.44.2. A patch (version 1.44.3) is available and users are advised to update immediately to mitigate the risk.
Experts recommend upgrading Forminator plugin to the latest version or disabling/deleting it to stay safe. With over 600,000 active websites using the plugin, applying the patch is crucial to avoid exploitation.