CVE-2025-6463
Published: 02 July 2025
Summary
CVE-2025-6463 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Incsub Forminator. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Forminator Forms plugin for WordPress, used for building contact, payment, and custom forms, contains an arbitrary file deletion vulnerability in all versions through 1.44.2. The flaw stems from insufficient validation of file paths supplied to the entry_delete_upload_files function, which permits external control over the paths that are later processed during submission deletion.
Unauthenticated attackers can supply arbitrary file paths during form submission. When an administrator or the plugin's auto-deletion settings later removes the submission, the referenced file is deleted from the server. Successful exploitation of sensitive files such as wp-config.php can result in remote code execution, and the issue carries a CVSS 3.1 score of 8.8.
The EPSS score has remained flat at 0.0115 with no material increase since disclosure. Public references include the vulnerable code path in the plugin's form-entry-model.php and the corresponding changeset that addresses the path-handling logic.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19711
Vulnerability details
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This…
more
makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Rejects externally supplied file or resource identifiers that fail validity checks.