heise online

600,000 WordPress instances can be exploited to a breach in Forminator plug-in

The function “entry_delete_upload_files” does not sufficiently check passed path information. Unregistered malicious actors can specify arbitrary file paths in a form submission, the file is then ...
Bleeping Computer

Forminator plugin flaw exposes WordPress sites to takeover attacks

The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks. The security issue is tracked as CVE-2025-6463 and ...