📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢
🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!
On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution.
Props to Phat RiO – BlueRock who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $8,100.00 for this discovery, the top bounty awarded through our program so far. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 26, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on July 26, 2025.
We contacted the WPMU DEV team on June 23, 2025, and they registered on our Wordfence Vulnerability Management Portal for WordPress vendors on June 25, 2025. After receiving the full disclosure details instantly through the portal, the developer released the patch on June 30, 2025. We would like to commend the WPMU DEV team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Forminator, version 1.44.3 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ‘entry_delete_upload_files’ function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Technical Analysis
Forminator is a popular WordPress form builder plugin that allows users to create various types of forms, such as contact forms, payment forms, quizzes, and polls, using a user-friendly drag-and-drop builder.
Examining the code reveals that the plugin uses the save_entry_fields() function in the Forminator_CForm_Front_Action class to save the form entry fields to the database.
Unfortunately, this function does not perform any sanitization on the values corresponding to the field. The function calls the set_fields() function in the Forminator_Form_Entry_Model class, which saves the meta key and the serialized meta value in the database.
public function set_fields( $meta_array, $entry_date = '' ) {
global $wpdb;
if ( $meta_array && ! is_array( $meta_array ) && ! empty( $meta_array ) ) {
return false;
}
// probably prevent_store enabled.
$prevent_store = ! $this->entry_id;
if ( ! $prevent_store ) {
// clear cache first.
wp_cache_delete( $this->entry_id, self::FORM_ENTRY_CACHE_GROUP );
wp_cache_delete( 'poll_entries_' . $this->form_id, self::FORM_ENTRY_CACHE_GROUP );
}
foreach ( $meta_array as $meta ) {
if ( ! isset( $meta['name'] ) || ! isset( $meta['value'] ) ) {
continue;
}
$key = wp_unslash( $meta['name'] );
$value = wp_unslash( $meta['value'] );
if ( ! $prevent_store ) {
// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
$meta_id = $wpdb->insert(
esc_sql( $this->table_meta_name ),
array(
'entry_id' => $this->entry_id,
'meta_key' => $key, // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
'meta_value' => maybe_serialize( $value ), // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value
'date_created' => ! empty( $entry_date ) ? $entry_date : date_i18n( 'Y-m-d H:i:s' ),
)
);
This makes it possible for an attacker to submit a file array in any field (e.g., a simple name field) when submitting the form.
Further examination of the code reveals that the plugin uses the entry_delete_upload_files() function in the Forminator_Form_Entry_Model class to delete a form submission’s uploaded files, when the form submission is deleted. The submission can be deleted manually by the administrator, or the submission can be deleted automatically according to the plugin settings.
public static function entry_delete_upload_files( $form_id, $entry_model ) {
$custom_form = Forminator_Base_Form_Model::get_model( $form_id );
$submission_file = 'delete';
if ( is_object( $custom_form ) ) {
$settings = $custom_form->settings;
$submission_file = isset( $settings['submission-file'] ) ? $settings['submission-file'] : 'delete';
}
if ( 'delete' === $submission_file ) {
foreach ( $entry_model->meta_data as $meta_data ) {
$meta_value = $meta_data['value'];
if ( is_array( $meta_value ) && isset( $meta_value['file'] ) ) {
$file_path = is_array( $meta_value['file']['file_path'] ) ? $meta_value['file']['file_path'] : array( $meta_value['file']['file_path'] );
if ( ! empty( $file_path ) ) {
foreach ( $file_path as $key => $path ) {
if ( ! empty( $path ) && file_exists( $path ) ) {
wp_delete_file( $path );
if ( isset( $meta_value['file']['file_url'][ $key ] ) ) {
$attachment_id = attachment_url_to_postid( $meta_value['file']['file_url'][ $key ] );
if ( $attachment_id ) {
wp_delete_attachment( $attachment_id );
}
}
}
}
}
}
}
}
}
Unfortunately, the function does not perform any field type checks or file extension checks, nor does it perform any upload directory restriction checks. This means that this function deletes all files contained in the meta value, if the meta value is a file array. As previously established, users can supply a file array in any form submission field, even when the field should not accept files. This makes the vulnerability exploitable on any instance with an active form.
Ultimately, this makes it possible for unauthenticated attackers to specify arbitrary files on the server, including the site’s wp-config.php file, and the file will be deleted when the submission is deleted. Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.
While this vulnerability does require a step of passive or active interaction to exploit, we believe that form submission deletion, especially if created to appear spammy, is a very likely situation to occur making this vulnerability a prime target for attackers. We recommend ensuring all WordPress sites have been updated as soon as possible.
The Patch
The vendor patched this issue by adding a field type check and a file path check to the entry_delete_upload_files() function. This means that only files uploaded through the fields with the ‘upload’ or ‘signature’ type will be deleted, and the path is restricted to the WordPress uploads directory.
public static function entry_delete_upload_files( $form_id, $entry_model ) {
$custom_form = Forminator_Base_Form_Model::get_model( $form_id );
$submission_file = 'delete';
if ( is_object( $custom_form ) ) {
$settings = $custom_form->settings;
$submission_file = isset( $settings['submission-file'] ) ? $settings['submission-file'] : 'delete';
}
if ( 'delete' === $submission_file ) {
$upload_root = wp_upload_dir();
if ( empty( $upload_root['basedir'] ) ) {
return;
}
$upload_root = $upload_root['basedir'];
foreach ( $entry_model->meta_data as $slug => $meta_data ) {
$meta_value = $meta_data['value'];
$field_type = Forminator_Core::get_field_type( $slug );
if ( in_array( $field_type, array( 'upload', 'signature' ), true )
&& is_array( $meta_value ) && isset( $meta_value['file'] ) ) {
$file_path = is_array( $meta_value['file']['file_path'] ) ? $meta_value['file']['file_path'] : array( $meta_value['file']['file_path'] );
if ( ! empty( $file_path ) ) {
foreach ( $file_path as $key => $path ) {
$path = realpath( $path );
if ( ! $path || ! file_exists( $path ) ) {
continue;
}
$basename = wp_basename( $path );
$sanitized = sanitize_file_name( $basename );
if ( $basename !== $sanitized ) {
continue;
}
$normalized_upload_root = wp_normalize_path( $upload_root );
$normalized_path = wp_normalize_path( $path );
if ( ! empty( $normalized_upload_root ) && 0 !== strpos( $normalized_path, $normalized_upload_root ) ) {
continue;
}
wp_delete_file( $path );
if ( isset( $meta_value['file']['file_url'][ $key ] ) ) {
$attachment_id = attachment_url_to_postid( $meta_value['file']['file_url'][ $key ] );
if ( $attachment_id ) {
wp_delete_attachment( $attachment_id );
}
}
}
}
}
}
}
}
Disclosure Timeline
June 20, 2025 – We received the submission for the Arbitrary File Deletion vulnerability in Forminator via the Wordfence Bug Bounty Program.
June 21, 2025 – We validated the report and confirmed the proof-of-concept exploit.
June 23, 2025 – We initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion.
June 25, 2025 – The vendor registered on our Wordfence Vulnerability Management Portal for WordPress vendors.
June 25, 2025 – The full disclosure details are sent instantly to the vendor upon registering and verifying ownership of their software. The vendor acknowledged the report and began working on a fix.
June 26, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
June 30, 2025 – The fully patched version of the plugin, 1.44.3, was released.
July 26, 2025 – Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed an Arbitrary File Deletion vulnerability within the Forminator plugin affecting versions 1.44.2 and earlier. This vulnerability allows unauthenticated threat actors to delete arbitrary files on the server which can be leveraged to achieve remote code execution and lead to complete site compromise. The vulnerability has been addressed in version 1.44.3 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Forminator as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 26, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on July 26, 2025.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Forminator WordPress Plugin appeared first on Wordfence.
