Cyber Resilience

CVE-2025-6463

High

Published: 02 July 2025

Published
02 July 2025
Modified
07 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0115 78.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6463 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Incsub Forminator. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Forminator Forms plugin for WordPress, used for building contact, payment, and custom forms, contains an arbitrary file deletion vulnerability in all versions through 1.44.2. The flaw stems from insufficient validation of file paths supplied to the entry_delete_upload_files function, which permits external control over the paths that are later processed during submission deletion.

Unauthenticated attackers can supply arbitrary file paths during form submission. When an administrator or the plugin's auto-deletion settings later removes the submission, the referenced file is deleted from the server. Successful exploitation of sensitive files such as wp-config.php can result in remote code execution, and the issue carries a CVSS 3.1 score of 8.8.

The EPSS score has remained flat at 0.0115 with no material increase since disclosure. Public references include the vulnerable code path in the plugin's form-entry-model.php and the corresponding changeset that addresses the path-handling logic.

EU & UK References

Vulnerability details

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This…

more

makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

incsub
forminator
≤ 1.44.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

References